Wireclub.com - XSS & cookie disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wireclub.com - XSS & cookie disclosure
From: luny@xxxxxxxxxxxxxxx
Date: 12 Jun 2006 05:00:54 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Wireclub.com

Homepage:
http://www.wireclub.com

Effected files:
input boxes of editing a profile

XSS Vuln with no filter evasion at all:

<IMG SRC=javascript:alert('XSS')>

We notice that when trying to put a url in the Open line about yourself input 
box, we get the msg "no urls allowed" as well as "the field cannot contain 
profanity (since i'm using youfucktard), One way to bypass this msg is change 
the whole url to decimal value. or just parts of it; ie: http:// or the ending 
of it, as well as part of the word "fuck"

PoC:
&#104&#116&#116&#112&#58&#47&#47you&#102ucktard&#46&#99&#111&#109


Screenshots:
http://www.youfucktard.com/xsp/wire1.jpg
http://www.youfucktard.com/xsp/wire2.jpg
http://www.youfucktard.com/xsp/wire3.jpg

XSS Vuln in same edit box, this time writing the cookie on screen:
[img src="javascript:document.write(document.cookie)"]

Screenshots:
http://www.youfucktard.com/xsp/wire4.jpg
http://www.youfucktard.com/xsp/wire5.jpg

Prev by Date: Windows XP Task Scheduler Local Privilege Escalation (Advisory)
Next by Date: Re: igloo DoubleSpeak v 0.1 Multiple remote file inclusion
Previous by thread: Re: Windows XP Task Scheduler Local Privilege Escalation (Advisory)
Next by thread: Virtualtourist.com - XSS with cookie disclosure
Index(es):
- Date
- Thread