XSS Vulnerability on all Gesiors

[Rodo]

Well OtLanders, as you see all Gesior AAC have a XSS vulnerability at the seccion Creatures.

A what?
Yes, a XSS vulnerability, if you know about this you should know that you can get priviligies, steal accounts and more

How?
I won't tell how, if you are reading this to know how leave the thread, but the vulnerability is in creatures.php

You don't need to delete this section, but if you use an external forum for your Gesior check the link that you are accessing


A fake login I maked on a server without been admin or webmaster: (yeah, it sux but is for example only)

It's kinda hard to do, but if you know how to you can make it.

 

[ntmr]

It's kinda hard to do, but if you know how to you can make it.

epic win.

 

[Rodo]

I mean if you know about XSS you can steal any account.

 

[Nostradamus]

@Rodo
XSS is a client-sided attack. It don't gives directly permissions. To avoid XSS attacks the data should be sanitized as long as HTML tags filtered.

Also, Gesior AAC never was a trusty website, there are lacks on:
- file uploading (they don't thread the MIME type of the files
- POST requisitions
- XSS (as you said)
- PHP injection
- memory leaks on a great demand of querys
- much more

I know that this "software" offers a lot of great features, but if you want to go in risk, have luck.

 

[Rodo]

Yeah it don't, but you can make a fake login that save an .txt very easy or something like that.

 

[trou]

Rodo is right, even if it's client sided you can add form posting data to your script.