#####################################################
Spymac Web OS v4 blogs and notes multiple variable XSS
Vendor url: http://www.spymac.com &
http://arnieshwartz.spymac.com/the_spymac_web_os.htm
Advisore: http://lostmon.blogspot.com/2005/11/
spymac-web-os-v4-blogs-and-notes.html
Vendor notify :yes exploit available: yes
#####################################################


Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.

Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.


################
VERSIONS
################

Spymac Web Os 4.0

#########
Solution
#########

No solution at this time

##########
timeline
##########

Discovered : 28 10 2005
Vendor notify: 02 11 2005
Vendor response:
Disclosure : 04-11-2005


###################
EXAMPLES#
###################

For exploit some vulns, you need to login.

###########
IN BLOGS
###########

http://[Victim]/blogs/index.php?curr=349030[XSS-CODE]

http://[Victim]/blogs/blog_newentry.php?inspire=134403[XSS-CODE]
&system=blogentries&title=Blogs%20now%20online

http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=
blogentries[XSS-CODE]&title=Blogs%20now%20online

http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=
blogentries&title=Blogs%20now%20online[XSS-CODE]

http://[Victim]/blogs/blog_newentry_comment.php?entry=113733[XSS-CODE]

http://[Victim]/blogs/blog.php?pageid=113733&caldate=1128146400[XSS-CODE]

http://[Victim]/blogs/blog_edit_entry.php?entry=113733[XSS-CODE]

http://[Victim]/blogs/blog.php?pageid=260&label=Cool%20Stuff
&caldate=1128146400[XSS-CODE]

###########
IN NOTES
###########

http://[Victim]/notes/index.php?action=noteform&forwardid=469397[XSS-CODE]
http://[victim]/notes/index.php?action=delete_folder&del_folder=qq[XSS-CODE]
http://[Victim]/notes/index.php?curr=100&isread=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100&dateorder=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100&subjectorder=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100[XSS-CODE]
http://[victim]/notes/index.php?isread=asc[XSS-CODE]
http://[Victim]/notes/index.php?fromorder=asc[XSS-CODE]
http://[Victim]/notes/index.php?fromorder=asc&action=search_title[XSS-CODE]
http://[Victim]/notes/index.php?action=shownote&noteid=243633[XSS-CODE]
http://[Victim]/notes/index.php?action=noteform[XSS-CODE]&replyid=243633
http://[Victim]/notes/index.php?action=Inbox[XSS-CODE]
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40[XSS-CODE]&action=Inbox
http://[Victim]/notes/index.php?totalnotes=[XSS-CODE]&ppp=10&ppp=30
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40&totalreplies=asc[XSS-CODE]&action=Inbox
http://[Victim]/notes/index.php?action=noteform&touserid=172195[XSS-CODE]

######################## €nd #########################

thnx to estrella to be my ligth

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....