lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060617041827.18493.qmail@securityfocus.com>
Date: 17 Jun 2006 04:18:27 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Housecarers.com - XSS & cookie disclosure


Housecarers.com

Homepage:
http://housecarers.com

Affected files:

* Posting a Housesit:

- City/Town  box
- County/District box
- Suburb box
- City/Town Area box

* Searching for housesitters

* Sending messages to house sitters. 

* Viewing member profiles
----------------------------------------

XSS vuln via posting housesit boxes. For a PoC, in one of the boxes above put:
<script>alert('xss')</script>


Screenshots:
http://www.youfucktard.com/xsp/housecare1.jpg
http://www.youfucktard.com/xsp/housecare2.jpg

((When viewing a members profile, this XSS example occurs as well))
-------------------------------------

XSS vuln when searching for house sitters. Same PoC as above, in the input boxes put:

<script>alert('xss')</script>

Screenshots:
http://www.youfucktard.com/xsp/housecare3.jpg
http://www.youfucktard.com/xsp/housecare4.jpg

-----------------------------------

XSS vuln with cfm token disclosure when sending msgs to members:

For a PoC in any input box, as the screenshots show, try putting:
<script>alert(document.cookie)</script>

Screenshots:
http://www.youfucktard.com/xsp/housecare5.jpg
http://www.youfucktard.com/xsp/housecare6.jpg

----------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ