MySpace Scripts - Poll Creator JavaScript Injection Vulnerability

2007.11.24
Credit: Doz
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-6136
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

[HSC]MySpace Scripts - Poll Creator JavaScript Injection Vulnerability Our MySpace Poll Creator script is the ultimate addition to your MySpace resource site. The script enables your user to quickly and easily create a poll that they can post to profile or bulletin to all their friends. Everyone loves to create a poll and gather opinions and this isn't something that's available on every other MySpace resource site. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Risk: Medium Class: Input Validation Error Vendor: http://www.m2scripts.com Product: MySpace Scripts - Poll Creator * Attackers can exploit these issues via a web client. Cross-Site Scripting: http://www.victim.com/poll/index.php/XSS Example of Advance Exploitation of the Application: Once we have found that the application is vulnerable to JavaScript Injection we see that there is a form that will be our source of input to alter page source code the Files. Now we can advance this type of attack by injecting an evil script trough /poll/index.php?action=create_new. Now we can inject any code into the Raw From Box and submit. This will leave a persistent Code on the Server side. Example: http://www.victim.com/poll/index.php?action=create_new


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top