<<< Date Index >>>     <<< Thread Index >>>

Destiney Rated Images Script v0.5.0 - XSS Vulnv



Destiney Rated Images Script v0.5.0

Homepage:

http://destiney.com/scripts

Description:

Destiney Rated Images script is continuation of the free phpRated script. Rated 
Images is a web application written in 

PHP for use with MySQL. Rated Images allows visitors to your site to list their 
pictures and have them rated by other members who may visit. Rated Images 
allows visitors to send other members private messages, as well as 
leavecomments. Members may rate other members on a scale of 1-10. Members may 
also participate in the mix/match section. Viewing and reviewing members can be 
accomplished a number of ways, and many options are available to encourage 
member interaction.

Effected Files:
addWeblog.php
leaveCommentReply.php
stats.php

------

stats.php Exploit:

SQL Injection of stats.php leads to full path disclosures.

Example:
http://www.example.com/stats.php?s=SELECT SUM( rating )FROM ds_image_ratings 
WHERE created ='x'


Notice: Undefined variable: scriptName in 
/home/destiney/domains/ratedsite.com/public_html/stats.php on line 624

Notice: Undefined variable: alt in 
/home/destiney/domains/ratedsite.com/public_html/stats.php(640) : eval()'d code 
on line 4

Notice: Undefined variable: desc in 
/home/destiney/domains/ratedsite.com/public_html/stats.php(640) : eval()'d code 
on line 8

-----

addWeblog.php Exploit: 

The input box for addweblog.php and leaveComments.php allows ceritan HTML tags 
include the <div> tag.

The comment reply input boxes not allow ceritan html tags, one being the <div> 
tag A user can add java script to the div tag and commit a XSS.