AOH :: HP Unsorted X :: B06-2332.HTM

Xtremescripts topsites v1.1



Xtremescripts Topsites v1.1
Xtremescripts Topsites v1.1



Xtremescripts Topsites v1.1=0D
=0D
Homepage:=0D
http://www.xtremescripts.com/topsites.php=0D 
=0D
Description:=0D
=0D
Xtreme Topsites is a popular topsite PHP script for websites. Most commonly =0D
  used across anime websites at the moment. The topsite will count hits/clicks =0D
  in and hits out and will rank them on total hits so that the site with the most =0D
  hits will be number 1. =0D
=0D
Effected files:=0D
stats.php=0D
join.php=0D
lostid.php=0D
=0D
Exploit:=0D
stats.php allows embedded objects which in turn can cause a XSS.=0D
=0D
example:=0D
=0D
http://www.example.com/xtremets/stats.php?id=1 pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="=0D 
=0D
0" height="0">=0D
=0D
=0D
lostid.php input data isn't properally sanatized & filtered which allows for XSS=0D
=0D
example:=0D
=0D
put in box: =0D
=0D
Input data on join.php isn't sanatized and can create mysql errors if users input malicious data.=0D
=0D
example:=0D
=0D
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right =0D
=0D
syntax to use near 'hi'','9cdfb439c7876e703e307864c9167a15','0','19052006','-')' at line 2=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.