TUCoPS :: Web :: Specific Sites :: b06-3091.htm

Housecarers.com - XSS & cookie disclosure
Housecarers.com - XSS & cookie disclosure
Housecarers.com - XSS & cookie disclosure


Housecarers.com=0D
=0D
Homepage:=0D
http://housecarers.com=0D 
=0D
Affected files:=0D
=0D
* Posting a Housesit:=0D
=0D
- City/Town  box=0D
- County/District box=0D
- Suburb box=0D
- City/Town Area box=0D
=0D
* Searching for housesitters=0D
=0D
* Sending messages to house sitters. =0D
=0D
* Viewing member profiles=0D
----------------------------------------=0D
=0D
XSS vuln via posting housesit boxes. For a PoC, in one of the boxes above put:=0D
=0D
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/housecare1.jpg=0D 
http://www.youfucktard.com/xsp/housecare2.jpg=0D 
=0D
((When viewing a members profile, this XSS example occurs as well))=0D
-------------------------------------=0D
=0D
XSS vuln when searching for house sitters. Same PoC as above, in the input boxes put:=0D
=0D
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/housecare3.jpg=0D 
http://www.youfucktard.com/xsp/housecare4.jpg=0D 
=0D
-----------------------------------=0D
=0D
XSS vuln with cfm token disclosure when sending msgs to members:=0D
=0D
For a PoC in any input box, as the screenshots show, try putting:=0D
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/housecare5.jpg=0D 
http://www.youfucktard.com/xsp/housecare6.jpg=0D 
=0D
----------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH