| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 17 Jun 2006 04:18:27 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Housecarers.com - XSS & cookie disclosure
Housecarers.com
Homepage:
http://housecarers.com
Affected files:
* Posting a Housesit:
- City/Town box
- County/District box
- Suburb box
- City/Town Area box
* Searching for housesitters
* Sending messages to house sitters.
* Viewing member profiles
----------------------------------------
XSS vuln via posting housesit boxes. For a PoC, in one of the boxes above put:
<script>alert('xss')</script>
Screenshots:
http://www.youfucktard.com/xsp/housecare1.jpg
http://www.youfucktard.com/xsp/housecare2.jpg
((When viewing a members profile, this XSS example occurs as well))
-------------------------------------
XSS vuln when searching for house sitters. Same PoC as above, in the input boxes put:
<script>alert('xss')</script>
Screenshots:
http://www.youfucktard.com/xsp/housecare3.jpg
http://www.youfucktard.com/xsp/housecare4.jpg
-----------------------------------
XSS vuln with cfm token disclosure when sending msgs to members:
For a PoC in any input box, as the screenshots show, try putting:
<script>alert(document.cookie)</script>
Screenshots:
http://www.youfucktard.com/xsp/housecare5.jpg
http://www.youfucktard.com/xsp/housecare6.jpg
----------------------------------
Powered by blists - more mailing lists