DoZ@HackersCenter.com
28/11/07, 12:29
[HSC]MySpace Scripts - Poll Creator JavaScript Injection Vulnerability
Our MySpace Poll Creator script is the ultimate addition to your MySpace resource
site. The script enables your user to quickly and easily create a poll that they
can post to profile or bulletin to all their friends. Everyone loves to create a
poll and gather opinions and this isn't something that's available on every other
MySpace resource site.
Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz
Risk: Medium
Class: Input Validation Error
Vendor: http://www.m2scripts.com
Product: MySpace Scripts - Poll Creator
* Attackers can exploit these issues via a web client.
Cross-Site Scripting:
http://www.victim.com/poll/index.php/XSS
Example of Advance Exploitation of the Application:
Once we have found that the application is vulnerable to JavaScript Injection we see
that there is a form that will be our source of input to alter page source code the Files.
Now we can advance this type of attack by injecting an evil script trough
/poll/index.php?action=create_new. Now we can inject any code into the Raw From Box
and submit. This will leave a persistent Code on the Server side.
Example: http://www.victim.com/poll/index.php?action=create_new
Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security
pack you will ever find on the net!
Our MySpace Poll Creator script is the ultimate addition to your MySpace resource
site. The script enables your user to quickly and easily create a poll that they
can post to profile or bulletin to all their friends. Everyone loves to create a
poll and gather opinions and this isn't something that's available on every other
MySpace resource site.
Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz
Risk: Medium
Class: Input Validation Error
Vendor: http://www.m2scripts.com
Product: MySpace Scripts - Poll Creator
* Attackers can exploit these issues via a web client.
Cross-Site Scripting:
http://www.victim.com/poll/index.php/XSS
Example of Advance Exploitation of the Application:
Once we have found that the application is vulnerable to JavaScript Injection we see
that there is a form that will be our source of input to alter page source code the Files.
Now we can advance this type of attack by injecting an evil script trough
/poll/index.php?action=create_new. Now we can inject any code into the Raw From Box
and submit. This will leave a persistent Code on the Server side.
Example: http://www.victim.com/poll/index.php?action=create_new
Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security
pack you will ever find on the net!