Housecarers.com

Homepage:

http://housecarers.com

Affected files:

* Posting a Housesit:

- City/Town box

- County/District box

- Suburb box

- City/Town Area box

* Searching for housesitters

* Sending messages to house sitters.

* Viewing member profiles

----------------------------------------

XSS vuln via posting housesit boxes. For a PoC, in one of the boxes above put:

<script>alert('xss')</script>

Screenshots:

http://www.youfucktard.com/xsp/housecare1.jpg

http://www.youfucktard.com/xsp/housecare2.jpg

((When viewing a members profile, this XSS example occurs as well))

-------------------------------------

XSS vuln when searching for house sitters. Same PoC as above, in the input boxes put:

<script>alert('xss')</script>

Screenshots:

http://www.youfucktard.com/xsp/housecare3.jpg

http://www.youfucktard.com/xsp/housecare4.jpg

-----------------------------------

XSS vuln with cfm token disclosure when sending msgs to members:

For a PoC in any input box, as the screenshots show, try putting:

<script>alert(document.cookie)</script>

Screenshots:

http://www.youfucktard.com/xsp/housecare5.jpg

http://www.youfucktard.com/xsp/housecare6.jpg

----------------------------------

[ reply ]