Linkbucks.com is a famous advertising network site that brings web users, websites and marketers together. The XSS vulnerability is found in the Default.aspx page. Script can be injected to the Message and Returnurl parameters. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session. Unvalidated redirection and forwarding is also possible.
Vulnerable URL: http://www.linkbucks.com/Default.aspx?
Tested with: Firefox 3.5 and Internet Explorer 7 on Windows XP SP3
A simple "alert("You are hACked by w01f")" script was injected to the "Default" page. It was executed and display on the web browser. Malicious script could be executed using this method.
Below is the video demonstration on exploiting the XSS vulnerability using redirection. It will redirect to my blog. Hacker can redirect to a spoofed Linkbucks site with malicious code.
The Message and ReturnURL parameters need to be properly sanitized after a user's logging out. The Linksbuck support team was contacted on the vulnerability. The support ticket is "#KHT-97974-227" but so far no fixed was done.