Facerave.com Homepage: http://www.facerave.com Effected files: * Profile input boxes - Self Description box * Posting a blog entry * Sending a message index.php ------------------------------------------------------ XSS vuln with cookie disclosure via posting a comment: No filter evasion needed. for PoC in yourself description box put: Screenshots: http://www.youfucktard.com/xsp/facerave1.jpg http://www.youfucktard.com/xsp/facerave2.jpg ----------------------------------------------------- XSS vuln with cookie disclosure when posting a blog entry: Same as above: Screenshots: http://www.youfucktard.com/xsp/facerave3.jpg http://www.youfucktard.com/xsp/facerave4.jpg Our cookie: This is remote text via xss.js located at youfucktard.com lang=en; PHPSESSID=dfb7edf9c3d2350d04cd5ed60585b2f1;voted=YToxMTp7aTowO047aToxO3M6NDoiMzkzNiI7aToyO3M6NDoiNzQ1NCI7aTozO3M6NjoiMTE4OTY1IjtpOjQ7czo2OiIxMTg5NjYiO2k6NTtzOjY6IjExODk2NyI7aTo2O3M6NjoiMTE4OTY4IjtpOjc7czo2OiIxMTg5NjkiO2k6ODtzOjY6IjExODk3MCI7aTo5O3M6NjoiMTE4OTcxIjtpOjEwO3M6NjoiMTE4OTcyIjt9; last_pr=7454 Breaking down the cookie: PHPSESSID= (Our php session Id on the site) voted= Base64 encoded. When we decode it we get: a:11:{i:0;N;i:1;s:4:"3936";i:2;s:4:"7454";i:3;s:6:"118965";i:4;s:6 ---------------------------------------------------- XSS Vuln and possible SQL injection on deleting blog id: http://www.facerave.com/index.php?req=blog&act=del&id=1087">"> Query error msg: You have an error in your SQL syntax near '\' AND b_user=7454' at line 1 Failed query: DELETE FROM rate_blogs WHERE b_id=1087\' AND b_user=7454 Screenshot: http://www.youfucktard.com/xsp/facerave5.jpg ----------------------------------------------------- Sending a message xss vuln: Same as above, no filter evasion. in your msg title or subject put: Screenshot: http://www.youfucktard.com/xsp/facerave6.jpg ------------------------------------------------------