"<i>2011-09-08 storechat.apple.com<p>A cross-site scripting issue was addressed. We would like to acknowledge "some stupid nerd" for reporting this issue.</i>"<p>Made me smile.
"Compared to other companies Apple has a lot of deprecated (?) legacy applications running. It looks like a mingle-mangle of different programming languages, application servers, domains or hostnames and independently running services - with a lot of bugs."<p>Nearly every large corporation is similar in this regard.
Apple's credit page for people who have reported potential security vulnerabilities: <a href="http://support.apple.com/kb/ht1318" rel="nofollow">http://support.apple.com/kb/ht1318</a>
Since he doesn't show the full URL in most of the images it's not possible to say for sure, but many of them appear to be a later stage in a multi-step process (registration, verifying email) to which you couldn't direct someone you wished to exploit.<p>If you have to enter bogus form input and make it to step 3, then while it technically is still XSS, it's not useful as an attack vector.<p>The others where an arbitrary user can be exploited by following a simple link (think I saw 2-3 of these) are real. CSRF protection won't help you there, since once I have JS running on your page I can insert iFrames or use XMLHTTP and read the CSRF tokens myself.
Can anyone explain what I'm actually supposed to see here? Screenshots of some directory names dont really mean anything unless you already understand what they mean
A page that lets you run arbitrary JavaScript in your own browser is not automatically vulnerable . For it to be a vulnerability you must be able to run arbitrary JavaScript in someone else's browser. If these pages protect against CSRF, most of them aren't vulnerable, expresslane being one case where I think you could get the JS to someone else without CSRF.