Bored, XSS in flisterz, chankelwin & izzatz

June 16th, 2007 | by tk2 |

Last few days were the worst weekdays I ever had. Maybe because today’s my 6666th day I’ve been living on earth. Nah. It’s just bad luck, get over it.

I’m thinking of going to LowYat today but I woke up late and things started going gocha2 again. At last, I’m here sitting in front of my computer surfing the net. Hey, at least I got something to show today.

I really love Blogtitude as it links all the updated blog in one place. After loafing around for a few minutes, I started to feel bored. I visited flisterz’s blog and played with his search box.

1

It popped up a database error. But when I viewed the source code, I found something more interesting.

2

Noticed that all the characters were not filtered and printed right away after the <title> tag.So I tried,

3

Let’s see what happens when I click enter..Ops no luck. It seems that the <script> tag is being filtered. How if:

4

The result:

5

Owh my cute baby XSS. Flisterz, you better repair this.
By the way, I also found other blog’s XSS using the same vector.

XSS in chankelwin

XSS in izzatz

  1. 5 Responses to “Bored, XSS in flisterz, chankelwin & izzatz”

  2. By Izzatz on Jun 16, 2007 | Reply

    dude what did u do? lol

    i’m quite blur n dun have any idea what u’r talkin bout..

    care to explain it? huhu

  3. By Izzatz on Jun 16, 2007 | Reply

    oh okok

    i know it..

    http://en.wikipedia.org/wiki/Cross-site_scripting
    :P
    gotta upgrade my wp

  4. By tk2 on Jun 16, 2007 | Reply

    I guess that it’s not wordpress fault. It’s your theme that being nasty.
    Just avoid clicking any obvious link or turn off javascript and you should be safe.

    Don’t worry too much. It’s just a minor bug.

  5. By Chan Kelwin on Jun 16, 2007 | Reply

    I actually read a post on the XSS “attack” or whatever it is yesterday. Kinda scary. And now it seems like my blog is vulnerable? Die liao…I honestly don’t know much about it. I don’t have time to research about it.

    tk2, what is that link that you linked with “XSS in chankelwin”? You adviced not to click on links like that, so I don’t even dare to click on it. LOL. Can you roughly explain? What should I do to solve the problem? Change themes or something?

    Thanks in advance.

  6. By mohdismail on Jun 18, 2007 | Reply

    boleh aku jadi Fellowship of the Geek?

    :p

Post a Comment