While looking for some videos we came across the video store at videoworld.de. Only two seconds later, while typing into the search field, we discovered a cross site scripting issue.
A closer look at the implemenation of the search functionality indicated that all resulting html pages are stored on the server, identified by a unique token in the url.
This behaviour allows an attacker to first create a manipulated search page, and then sending the resulting link to this victim. When he visits the website, the XSS will be triggered and the attacker has full control over the page.
We sent an email to the webmaster on the first june of 2012, but did not receive any response within 5 days. We did not want to give up too quick, so we decided to call the websites operator. This was the right way to go, because the explained to us, that the webmasters email address is under heavy spam, but the offered us the email address to the main developer of the website.
After we sent the first email to the main developer, the issue was fixed during the same day, and they reassures us, that our project “is necessary and very meaningful” (translated into english).
We want to thank the developer for quickly fixing the xss issue and for his feedback to our project.
The team of Internetwache.org