AOH :: HP Unsorted B :: TB13125.HTM

Bosdev Multiple vulnerabilities



Bosdev Multiple vulnerabilities
Bosdev Multiple vulnerabilities



BosMarket Business Directory System
http://www.bosdev.com

BosMarket Multiple XSS vulnerabilities

BosMarket is a craigslist like application that attempts to let users
refer other small businesses. The problem is that when you post listings,
its a a no holds barred kind of deal. Firstly, One can place XSS code into
their user info. Just email the admin claiming your account details are
screwy, and wham, easy access. The next vulnerability is within posts
themselves. Once again, XSS code is not filtered.

BosNews v4 XSS

Then there is BosNews. The program allows for anonymous people to post news
There us a form of BB code in use, but that doesnt stop the fact that script
tags can be used as well. Its cookie based auth, so cookie theft is a snap,
among other things people do with XSS.

I emailed the guys at bosdev and am awaiting a response. Have fun.


BosNews v4, v5 Install.php auth override.

Using BosNews, we can install over the old installation without
a username or password. It actually overwrites the old one. If you have the
database info, it will even let you create a new admin username / password.


I emailed the guys at bosdev and am awaiting a response. Have fun.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.