MySpace Scripts - Poll Creator JavaScript Injection Vulnerability

[DoZ@xxxxxxxxxxxxxxxxx]

[HSC]MySpace Scripts - Poll Creator JavaScript Injection Vulnerability


Our MySpace Poll Creator script is the ultimate addition to your MySpace 
resource 
site. The script enables your user to quickly and easily create a poll that 
they 
can post to profile or bulletin to all their friends. Everyone loves to create 
a 
poll and gather opinions and this isn't something that's available on every 
other 
MySpace resource site.


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz


Risk: Medium 
Class: Input Validation Error


Vendor: http://www.m2scripts.com
Product: MySpace Scripts - Poll Creator


* Attackers can exploit these issues via a web client.


Cross-Site Scripting:

http://www.victim.com/poll/index.php/XSS


Example of Advance Exploitation of the Application:

Once we have found that the application is vulnerable to JavaScript Injection 
we see
that there is a form that will be our source of input to alter page source code 
the Files.
Now we can advance this type of attack by injecting an evil script trough 
/poll/index.php?action=create_new. Now we can inject any code into the Raw From 
Box 
and submit. This will leave a persistent Code on the Server side.



Example: http://www.victim.com/poll/index.php?action=create_new






Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive 
security
pack you will ever find on the net!