Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Specific Sites :: b06-2922.htm

Wireclub.com - XSS & cookie disclosure



Wireclub.com - XSS & cookie disclosure
Wireclub.com - XSS & cookie disclosure



Wireclub.com=0D
=0D
Homepage:=0D
http://www.wireclub.com=0D 
=0D
Effected files:=0D
input boxes of editing a profile=0D
=0D
XSS Vuln with no filter evasion at all:=0D
=0D
=0D
=0D
We notice that when trying to put a url in the Open line about yourself input box, we get the msg "no urls allowed" as well as "the field cannot contain profanity (since i'm using youfucktard), One way to bypass this msg is change the whole url to decimal value. or just parts of it; ie: http:// or the ending of it, as well as part of the word "fuck"=0D
=0D
PoC:=0D
http://youfucktard.com=0D
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/wire1.jpg=0D 
http://www.youfucktard.com/xsp/wire2.jpg=0D 
http://www.youfucktard.com/xsp/wire3.jpg=0D 
=0D
XSS Vuln in same edit box, this time writing the cookie on screen:=0D
[img src="javascript:document.write(document.cookie)"]=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/wire4.jpg=0D 
http://www.youfucktard.com/xsp/wire5.jpg 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH