Housecarers.com Homepage: http://housecarers.com Affected files: * Posting a Housesit: - City/Town box - County/District box - Suburb box - City/Town Area box * Searching for housesitters * Sending messages to house sitters. * Viewing member profiles ---------------------------------------- XSS vuln via posting housesit boxes. For a PoC, in one of the boxes above put: <script>alert('xss')</script> Screenshots: http://www.youfucktard.com/xsp/housecare1.jpg http://www.youfucktard.com/xsp/housecare2.jpg ((When viewing a members profile, this XSS example occurs as well)) ------------------------------------- XSS vuln when searching for house sitters. Same PoC as above, in the input boxes put: <script>alert('xss')</script> Screenshots: http://www.youfucktard.com/xsp/housecare3.jpg http://www.youfucktard.com/xsp/housecare4.jpg ----------------------------------- XSS vuln with cfm token disclosure when sending msgs to members: For a PoC in any input box, as the screenshots show, try putting: <script>alert(document.cookie)</script> Screenshots: http://www.youfucktard.com/xsp/housecare5.jpg http://www.youfucktard.com/xsp/housecare6.jpg ----------------------------------
