GMailSite variable Cross-Site Scripting and script injection

Thursday, December 29, 2005
#######################################################
GMailSite variable Cross-Site Scripting and script injection
Vendor Url:http://www.gmailsite.com/
vendor specific entry:http://foros.ojobuscador.com/tema1936.html
Advisore:http://lostmon.blogspot.com/2005/12/
gmailsite-variable-cross-site.html
vendor notify:yes Exploit available:yes
OSVDB ID:22083,22095
Secunia:SA18155
BID:16081
########################################################

GMailSite is script that allows that you use your
account of mail of GMail to create a page in which
all the attached archives of your messages will be
published that esten kept under some label in your
account from mail.

GMailSite contains a flaw that allows a remote
Cross-Site Scripting attack.This flaw exists because
the application does not validate 'lng' variable upon
submission to index.php script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.

Wen we "inject" the html or javascript code in the 'lng'
variable , this code is write in the coockie and it is
execute every time wen we click on a link in the GMailSite
for stop this code only need to click in other language.
This Flaw Is a posible script insercion,and a posible
local file inclusion.

#################
versions afected
#################

GMailSite

GmailSite 1.0.4 -
GmailSite 1.0.3 -
GmailSite 1.0.2 -
GmailSite 1.0.1 -
GmailSite 1.0 -

GFHost

GFHost 0.4.2
GFHost 0.4.1
GFHost 0.4
GFHost 0.3
GFHost 0.2
GFHost 0.1.1

#################
Solution
#################

No solution at this time !!!

#############
Timeline
#############

Discovered: 13-11-2005
Vendor notify: 28-12-2005
Vendor response:28-12-2005
Disclosure:29-12-2005

##################
Example
##################

http://[VICTIM]/?lng=es"><script>alert(document.cookie)</script>
http://[VICTIM]/index.php?lng=es"><script>alert(document.cookie)</script>

##################### €nd ###############

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...