ZDF fixes some XSS holes

The ZDF is one of the public service broadcasting authorities in germany. Since 2001 it has been broadcasting his shows over the internet. We took a look at their website and discovered some vulnerabilites.

The media center offers a video-on-demand service, which does not only contain the main video, but also from ZDFinfo, ZDFneo, ZDFkultur. These subchannels can be reached via their own subdomains. There were some reflected XSS vulnerabilites on the tivi.zdf.de website and on the quiz’ website. In both cases the affected parameters were not sanitized correctly and their value was embedded in the website’s html markup.

We contacted the webmaster via email on the 10th of june 2012. Unfortunaly, we did not receive any answer and the vulnerabilites were still exploitable after 5 days. After that we gave them a ring and we were told, that the IT department is empty, because everybody was enjoying his holidays. The polite callee told us an email address to which we should forward the necessary information. One week later, we had a friendly email in our in-box, which stated that the mentioned vulnerabilites have been fixed.

We would like to thank the ZDFs IT department for the cooperative handling. Sometimes it’s hard to get in contact with the right person. Mostly the message has to pass some departments, until it reaches the right person.

The team of internetwache.org


Screenshot of the Cross Site Scripting vulnerability

Screenshot of the XSS