Spymac Web os 3.0 Multiple variable XSS

Sunday, March 13, 2005
#######################################################
Spymac Web os 3.0 Multiple variable XSS
vendor url:http://www.spymac.com/network.php?p=webos&wwg=20
Vendor notified : yes exploit avaible : yes
Original advisore: http://lostmon.blogspot.com/2005/03/
spymac-web-os-30-multiple-variable-xss.html
OSVDB ID:15243,1244,15245,15246,15247,15248,15249,
15250,15251,15252,15253,15254,15255

########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending technology
that allows for the creation of an immersive and visually-stunning Web experience.

Spymac flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate some
variables upon submission to some scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between the
browser and the server,leading to a loss of integrity.

############
version afected
############

Spymac Web Os 3.0 beta 190

#########
Solution
#########

The vendor has pached all issues in a fast time :D
I send to him four mails, don´t repose any but
Spymac team working &working for fix...
Good work !!!

##########
timeline
##########

Discovered : 2 Mar 2005
Vendor notifyed: 2 Mar 2005
correct issues: 7 Mar 2005
Disclosure : 14 Mar 2005




############
Examples
############


##################
in index.php :
##################

http://[target]/hosting/index.php?show=[XSS-CODE]
http://[target]/news/index.php?catid=11[XSS-CODE]
http://[target]/news/index.php?contentid=1963[XSS-CODE]

###########
in members:
###########

http://[target]/member.php?memberid=172195[XSS-CODE]

###########
in gallery:
###########

http://[target]/gallery/show_photo.php?picid=321126[XSS-CODE]
http://[target]/gallery/show_pics.php?catid=24502[XSS-CODE]
http://[target]/gallery/show_pics.php?catid=547&split=1[XSS-CODE]
http://[target]/gallery/show_photo.php?picid=359869&nr=1[XSS-CODE]
http://[target]/gallery/upload_picture.php?poll=1[XSS-CODE]

##############
in notes.php :
##############

http://[target]/notes.php?action=outbox[XSS-CODE]
http://[target]/notes.php?action=inbox[XSS-CODE]
http://[target]/notes.php?action=pmform[XSS-CODE]
http://[target]/notes.php?totalPms=0&ppp=12&ppp=20&action=inbox[XSS-code]
http://[target]/notes.php?totalPms=0&ppp=12&ppp=20[XSS-code]&action=inbox
http://[target]/notes.php?totalPms=0&ppp=12[XSS-code]&ppp=20&action=inbox
http://[target]/notes.php?totalPms=0[XSS-code]&ppp=12&ppp=20&action=inbox

##########
in forums
##########

http://[target]/forums/showthread.php?threadid=160053[XSS-CODE]
http://[target]/forums/threadlist.php?catid=708[XSS-CODE]
http://[target]/forums/manager.php?action=myforums[XSS-CODE]
http://[target]/forums/newreply.php?threadid=159939[XSS-CODE]
http://[target]/forums/newpoll.php?catid=&threadid=[XSS-CODE]
http://[target]/forums/newthread.php?catid=&threadid=[XSS-CODE]
http://[target]/forums/manager.php?typ=favs&c=0&ppp=12[XSS-code]
http://[target]/forums/manager.php?typ=favs&c=0[XSS-code]&ppp=12
http://[target]/forums/manager.php?typ=favs[XSS-code]&c=0&ppp=12
http://[target]/forums/manager.php?typ=[XSS-code]favs&c=0&ppp=12
http://[target]/forums/newpoll.php?catid=&threadid=[XSS-code]
http://[target]/forums/newpoll.php?catid=[XSS-code]&threadid=
http://[target]/forums/newthread.php?catid=&threadid=[XSS-code]
http://[target]/forums/newthread.php?catid=[XSS-code]&threadid=

########
Others
########

http://[target]/network.php?p=tos[XSS-CODE]

for exploiting some flaws need to login.(member sections, parts of forums,etc)

atentamente:

Lostmon(lostmon@gmail.com)

Thnx to estrella to be my ligth.
Thnx to all who belibed in me.
Thnx to spymac Team , don´t respond ; but working &working for correct :DDD

Web-blog: http://Lostmon.blogspot.com
--
La curiosidad es lo que hace mover la mente...
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...