Freelancers Marketplace Script Cross Site Scripting

2010-07-18T00:00:00
ID PACKETSTORM:91943
Type packetstorm
Reporter Sid3 effects
Modified 2010-07-18T00:00:00

Description

                                        
                                            `Name : Freelancers Marketplace Script Persistent XSS Vulnerability  
Date : july 17,2010  
Critical Level : HIGH  
vendor URL :http://www.guruscript.com/  
google dork:Powered by Guruscript.com  
Author : Sid3^effects aKa HaRi  
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,SeeMe,RoadKiller  
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz  
#######################################################################################################  
Description:  
Freelancers Marketplace Script is an Extensive and Powerful script written in PHP and Ajax to launch your own Freelancers website. Create your own global talent search marketplace with this script. Service seekers can post their requirements through this script and the service providers can place their bids for doing the job. Highly configurable features and fully customizable colors, styles, fonts and graphics make this script very very special.  
#######################################################################################################  
Xploit: Persistent XSS Vulnerability  
  
Step 1 : Register as a user.  
  
Step 2 : Now go and post your project  
DEMO URL :http://site.com/post_project.php  
  
Step 3 : The attacker can insert xss scripts in the "title" and the "describe project" area.  
  
Attack Pattern : ">><marquee><h1>XSS3d By Sid3^effects</h1><marquee>  
  
Step 4 : Now check the main sites for the projects and you may find your script ;)  
DEMO URL : http://site.com/all_projects.php  
  
DEMO URL :http://site.com/project_3_marqueeh1xss3d-by-sid3effectsh1marque.html  
  
#######################################################################################################  
# 0day no more  
# Sid3^effects  
  
`