Rev Potential exploit.

Status
Not open for further replies.
Dan Smith

Dan Smith

Member
Sep 10, 2011
64
3
Basicly. i belive that rev is xxs cross scriptable.

All thats needed is to set your motto to <script>alert('XXS')</script> and on online, it sends an alert.


Does anybody have a fix for this?

The fix will be largely appreciated!

Also, you may want to know:
Whats is XXS?
You must be registered for see links




-Dan :D
 
Sort by date Sort by votes
Dan Smith

Dan Smith

Member
Sep 10, 2011
64
3
a0e04925ab6921fc0ac2713edae04da0.png
 
Upvote 0 Downvote
F

Find

Posting Freak
Jun 21, 2012
597
189
Basically it means if they put that code in their motto, anywhere on the site that it shows their motto a script will pop up :)
 
Upvote 0 Downvote
Clit

Clit

Posting Freak
Feb 25, 2012
1,065
103
Find said:
Basically it means if they put that code in their motto, anywhere on the site that it shows their motto a script will pop up :)
Click to expand...
Its for staff use only then pretty much, don't see how it is an exploit. It's basically putting %username% in your motto.
 
Upvote 0 Downvote
F

Find

Posting Freak
Jun 21, 2012
597
189
Well the user could use it on the me page, and we have an online users page as you just saw so it would not only work for staff :)
 
Upvote 0 Downvote
Clit

Clit

Posting Freak
Feb 25, 2012
1,065
103
Find said:
Well the user could use it on the me page, and we have an online users page as you just saw so it would not only work for staff :)
Click to expand...
Me page, only the user can see.
Online users is like a graph thing, and have to hover, doubt that enables/works like that. (idfk wot i seD)
and its a staff ability, and for vip's its a special feature, and if they are one of the lucky randoms. 
Dan Smith said:
it shows up on online users page. its XXs cross scripting, that's an exploit
Click to expand...
dont even have mottos enabled on online users page -.-
tbh, even if its a popup, who cares, ITS A POPUP, no harm facepalm.jpg
 
Upvote 0 Downvote
Tomm

Tomm

The Legend
Aug 19, 2012
191
92
it works on the /online page for all users, as every online user is displayed here. I think Mr Find fixed the issue by disabling mottos on the /online page.
 
Upvote 0 Downvote
F

Find

Posting Freak
Jun 21, 2012
597
189
As you quite clearly did not read the link posted on the original post,

"Cross-site scripting (XSS) is a type of
You must be registered for see links
You must be registered for see links
typically found in
You must be registered for see links
, such as
You must be registered for see links
through breaches of
You must be registered for see links
, that enables attackers to
You must be registered for see links
You must be registered for see links
into
You must be registered for see links
viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass
You must be registered for see links
such as the
You must be registered for see links
. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.
You must be registered for see links
Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner."

So as you can see it is more of a risk than "just a popup"
 
Upvote 0 Downvote
Clit

Clit

Posting Freak
Feb 25, 2012
1,065
103
Tomm said:
it works on the /online page for all users, as every online user is displayed here. I think Mr Find fixed the issue by disabling mottos on the /online page.
Click to expand...
regardless, no reason to remove the code, its a fucking popup, also nobody knew of this, lol, never been used anywhere. blame op for releasing ;p, REGARDLESS, ITS A FUCKING POPUP LOL
 
Upvote 0 Downvote
Clit

Clit

Posting Freak
Feb 25, 2012
1,065
103
Tomm said:
This pop up could ALSO be abused, showing advertisements or inappropriate messages. This is un-professional.
Click to expand...
yeah deffiantly with limited motto characters. 
Xyro said:
I think what he's trying to say is if that alert script can be used, then they could manipulate the XSS code and end up putting shells into the server.
Click to expand...
tell me how you're gonna do that in 12 fucking characters..facepalm.jpg
 
Upvote 0 Downvote
Status
Not open for further replies.

Users who are viewing this thread

Total: 3 (members: 0, guests: 3)
☀️  Switch to Light Theme

Latest posts

Top