| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 22 Nov 2007 17:26:30 -0000 From: DoZ@...kersCenter.com To: bugtraq@...urityfocus.com Subject: MySpace Scripts - Poll Creator JavaScript Injection Vulnerability [HSC]MySpace Scripts - Poll Creator JavaScript Injection Vulnerability Our MySpace Poll Creator script is the ultimate addition to your MySpace resource site. The script enables your user to quickly and easily create a poll that they can post to profile or bulletin to all their friends. Everyone loves to create a poll and gather opinions and this isn't something that's available on every other MySpace resource site. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Risk: Medium Class: Input Validation Error Vendor: http://www.m2scripts.com Product: MySpace Scripts - Poll Creator * Attackers can exploit these issues via a web client. Cross-Site Scripting: http://www.victim.com/poll/index.php/XSS Example of Advance Exploitation of the Application: Once we have found that the application is vulnerable to JavaScript Injection we see that there is a form that will be our source of input to alter page source code the Files. Now we can advance this type of attack by injecting an evil script trough /poll/index.php?action=create_new. Now we can inject any code into the Raw From Box and submit. This will leave a persistent Code on the Server side. Example: http://www.victim.com/poll/index.php?action=create_new Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security pack you will ever find on the net!
Powered by blists - more mailing lists