DELETED
techb wrote: Isn't inline code injection client-side anyway? I mean it will not do anything besides change your cookies and do cool things with the picture on the page right?
Change your cookies, do cool things with the pictures on the page, alter your password, post anything they want anywhere from your account, steal your cookies for their use….
MoshBat wrote: [quote]stealth- wrote: steal your cookies for their use…. Not here.[/quote]
True. I actually wonder why more sites don't implement that.
spyware wrote: [quote]Mtutnid wrote: I'm able to make my avatar src a php page or anything else
Ooooh nooo.[/quote]
Wasn't somebody doing that a while back and logging IP's?
Mtutnid wrote: I know its nothing, but it is still just a minor bug… A bug is a bug… It does not work properly, that means it is a bug… Even if it is totally minor.
It's. Not. A. Bug.
You could do exactly the same thing by using firebug and changing your rendered html. It does nothing. There is no exploit here.
Mtutnid wrote: [quote]MoshBat wrote: [quote]stealth- wrote: steal your cookies for their use…. Not here.[/quote]
I would not need to steal cookies. I could just change your pass. [/quote]
No you couldn't. I've already tried that with a real XSS hole on this site. The only way you'd have a shot of changing the password or actually doing anything of interest would be to:
-
Get the user to click on XSS link and steal cookie AND page token (the edit_profile token is the same as logout token, so you can just use javascript to regex it rather than send another request through cURL/PHP)
-
Now that you already have the token and cookies, all you have to do is change your IP. Use something like this (http://stackoverflow.com/questions/1301319/curl-ip-address) to 'spoof' you're IP (basically just send a one way connection to hbh to change password or do whatever you want).
The first step is really easy but good luck getting the second part to work.