Wireclub.com Homepage: http://www.wireclub.com Effected files: input boxes of editing a profile XSS Vuln with no filter evasion at all: <IMG SRC=javascript:alert('XSS')> We notice that when trying to put a url in the Open line about yourself input box, we get the msg "no urls allowed" as well as "the field cannot contain profanity (since i'm using youfucktard), One way to bypass this msg is change the whole url to decimal value. or just parts of it; ie: http:// or the ending of it, as well as part of the word "fuck" PoC: http://youfucktard.com Screenshots: http://www.youfucktard.com/xsp/wire1.jpg http://www.youfucktard.com/xsp/wire2.jpg http://www.youfucktard.com/xsp/wire3.jpg XSS Vuln in same edit box, this time writing the cookie on screen: [img src="javascript:document.write(document.cookie)"] Screenshots: http://www.youfucktard.com/xsp/wire4.jpg http://www.youfucktard.com/xsp/wire5.jpg
