(2013-01-28, 12:41 PM)Pirata Nervo Wrote: [ -> ] (2013-01-28, 11:55 AM)iEcho Wrote: [ -> ] (2013-01-28, 11:53 AM)Pirata Nervo Wrote: [ -> ]So what you're doing there is, you try to login and fail and without doing anything you get a javascript alert or did you change anything? (e.g. imagestring)
He tried to login with right username and pass and he just replaced the imgstring with an javascript query! he can redirect the page etc.. etc..
Only changed the imgstring!
The user on the screenshot is whom? You? Or him?
Also, the user on the screenshot failed to login, otherwise he wouldn't have received a login failure error.
yes he failed cause of the "word" captcha!
As captcha code he entered the javascript query!
Please answer my questions...
(2013-01-28, 01:10 PM)Pirata Nervo Wrote: [ -> ]Please answer my questions...
Hes one of my forum members! He reported the xss to me yesterday! I just want a solution guys :\
I'm going to ask again...
The user on the screenshot is whom? You? Or him?
(2013-01-28, 01:14 PM)Pirata Nervo Wrote: [ -> ]I'm going to ask again...
The user on the screenshot is whom? You? Or him?
Iam the member that i found the xss hole! admin asked me to post here and give him the link! Is that a problem?1
(2013-01-28, 01:22 PM)Nathan Malcolm Wrote: [ -> ] (2013-01-28, 12:18 PM)Nathan Malcolm Wrote: [ -> ]Where exactly is the imgstring being printed on the page?
What do you mean?! Imgstring box was empty!I pasted the script there!
I've just went to a login page, kept failing until the captcha was displayed, entered something random and then tampered the imagestring with "/><ScRiPt>alert(String.fromCharCode(88,83,83))</ScRiPt> like you said and didn't get any javascript popup.
But still, even if I did get one, there's no way you can inject code to affect other users. The problem with javascript injections is that you may run your desired javascript code from other users' browsers. In this case you can't, you can only execute it on your own and I don't believe you want to hack your own cookies.
I still can't reproduce it. MyBB doesn't keep the input there because the captcha changes each time you refresh the page. Unless I'm missing something, the only way to do this is if you edit the dom after the page has loaded.
(2013-01-28, 01:39 PM)Pirata Nervo Wrote: [ -> ]I've just went to a login page, kept failing until the captcha was displayed, entered something random and then tampered the imagestring with "/><ScRiPt>alert(String.fromCharCode(88,83,83))</ScRiPt> like you said and didn't get any javascript popup.
But still, even if I did get one, there's no way you can inject code to affect other users. The problem with javascript injections is that you may run your desired javascript code from other users' browsers. In this case you can't, you can only execute it on your own and I don't believe you want to hack your own cookies.
(2013-01-28, 01:40 PM)Nathan Malcolm Wrote: [ -> ]I still can't reproduce it. MyBB doesn't keep the input there because the captcha changes each time you refresh the page. Unless I'm missing something, the only way to do this is if you edit the dom after the page has loaded.
You should do it with temper data because when you enter captcha the website filters the captcha you entered!
Maybe its dom based xss!