XSS exploit on karlicious.net
20 replies · 10 participants
Dec 2, 2009, 05:21 AM#1
Just noticed Karl, you can XSS your karlicious.net 404 page.
http://static.karlicious.net/apache/?qu ... IKES%20MEN.
(Quick example)
Not sure how unsecure it is, but like, fix it.
http://static.karlicious.net/apache/?qu ... IKES%20MEN.
(Quick example)
Not sure how unsecure it is, but like, fix it.
Dec 2, 2009, 03:59 PM#2
There's a Hax section now.
It isn't really that useful since it's on the static subdomain, so It can't really be used for cookie stealing.
I like dem' yummy cookies.
It's also not permanent, so it's kinda limited.
It isn't really that useful since it's on the static subdomain, so It can't really be used for cookie stealing.
I like dem' yummy cookies.
It's also not permanent, so it's kinda limited.
Dec 2, 2009, 04:11 PM#3
XSS can be dangerous, and fun Click Here
Discovered that a while ago and emailed fps banana about it, but they haven't replied/fixed it yet.
;%3C/script%3E%3Cimg%20src='http://kimag.es/share/32583751.png'%20/%3E){kind=link}
Discovered that a while ago and emailed fps banana about it, but they haven't replied/fixed it yet.
Dec 2, 2009, 07:24 PM#4
Another victory for the NoScript Addon for Firefox. 
Detects XSS.
Detects XSS.Dec 3, 2009, 01:02 AM#5
XSS can be dangerous, and fun Click Here
Discovered that a while ago and emailed fps banana about it, but they haven't replied/fixed it yet.
HAAAAAX! *spawn throws computer monitor*
Dec 3, 2009, 01:03 AM#6
Dec 3, 2009, 07:44 AM#7
[This post has been redacted in the archive]
Dec 3, 2009, 08:23 AM#8
Lol waffle.
Whats so bad with XSS? Just inserting custom pictures and words?
Thats exactly the problem, we are just using it for fun, someone could insert code to steal passowrd, break into the database even etc etc.
Dec 3, 2009, 09:34 AM#9
Or just put words into one's mouth. So it looks like someone has said something they haven't.
Dec 3, 2009, 11:36 AM#10
It shouldn't work anymore.
Dec 3, 2009, 04:04 PM#11
[This post has been redacted in the archive]
Dec 3, 2009, 04:51 PM#12
It shouldn't work anymore.
It's still vulnerable.
You'll want to turn the input into HTML entities (99.9% safe):
http://php.net/manual/en/function.htmlentities.php
Dec 3, 2009, 05:08 PM#13
Or stop using URL Requests all together and get the request from the HTTP Header.
Dec 3, 2009, 05:19 PM#14
It shouldn't work anymore.
Thanks
Dec 3, 2009, 05:31 PM#15
It shouldn't work anymore.
Thanks
Why did you reply to your own comment?
Because it's fun.
Dec 4, 2009, 03:18 AM#16
Intruder Alert!
Red spy in base!
Red spy in base!
Dec 4, 2009, 11:51 AM#17
Intruder Alert!
Red spy in base!
ALERT!
HEAVY IS HUNGRY!
Dec 4, 2009, 08:13 PM#18
OMG! U STOLE MY VIDEO! HAAAAX!
Dec 8, 2009, 08:42 PM#19
I was looking at flappah's fucked up Steam ID thing, (he clearly entered a URL instead of his username, even though it specifically states not to, *cough* retard *cough*) and stumbled upon another EXPLOIT. However, it just stopped working, as if someone had fixed it while I was playing with it. 
Dec 8, 2009, 10:12 PM#20
I was looking at flappah's fucked up Steam ID thing, (he clearly entered a URL instead of his username, even though it specifically states not to, *cough* retard *cough*) and stumbled upon another EXPLOIT. However, it just stopped working, as if someone had fixed it while I was playing with it.
That would be me