Xtremescripts Topsites v1.1

2006.05.25
Risk: Low
Local: No
Remote: Yes
CWE: N/A

Xtremescripts Topsites v1.1 Homepage: http://www.xtremescripts.com/topsites.php Description: Xtreme Topsites is a popular topsite PHP script for websites. Most commonly used across anime websites at the moment. The topsite will count hits/clicks in and hits out and will rank them on total hits so that the site with the most hits will be number 1. Effected files: stats.php join.php lostid.php Exploit: stats.php allows embedded objects which in turn can cause a XSS. example: http://www.example.com/xtremets/stats.php?id=1 <embed allowScriptAccess="never"src="harmfulflash.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width=" 0" height="0"></embed> lostid.php input data isn't properally sanatized & filtered which allows for XSS example: put in box: <script>alert('hi')</script> Input data on join.php isn't sanatized and can create mysql errors if users input malicious data. example: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'hi'','9cdfb439c7876e703e307864c9167a15','0','19052006','-')' at line 2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top