1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WARNING: Mediafire Users

Discussion in 'BlackHat Lounge' started by marekpl, Aug 22, 2011.

  1. marekpl

    marekpl Newbie

    Joined:
    Jan 11, 2010
    Messages:
    38
    Likes Received:
    4
    Hey guys,

    thought i should bring this to your attention, mediafire currently has a Cross site scripting vulnerability:
    Mediafire.com suffers from a persistent XSS vulnerability within its file uploads.
    After a user has uploaded their file they can change the title of the file.
    To something like
    <script>alert('CodeineIntra')</script> .txt

    It must contain an extension to save.
    This is a persistent vulnerability.
    Source: http://packetstormsecurity.org/files/view/104288/mediafire-xss.txt

    make sure you be careful if mediafire does anything unexpected, always check the title of the page to see if there is any javascript or obfuscated code (filename is in the title), if you're downloading anything make sure it's coming from mediafire as it's now possible to send the download location to somewhere foreign

    filenames can be switched around even after the upload, so use mediafire with care.
     
    • Thanks Thanks x 2
  2. l0goz

    l0goz Jr. VIP Jr. VIP Premium Member

    Joined:
    Jun 25, 2010
    Messages:
    543
    Likes Received:
    353
    Occupation:
    IM
    Location:
    Close to your mom
    thnx for the warning
     
  3. larrydetuvi

    larrydetuvi Regular Member

    Joined:
    Mar 7, 2011
    Messages:
    249
    Likes Received:
    80
    Xss can be used to create backlinks, or just this example works?
     
  4. thevil

    thevil Junior Member

    Joined:
    Aug 17, 2010
    Messages:
    190
    Likes Received:
    189
    Code:
    http://en.wikipedia.org/wiki/Cross-site_scripting
     
  5. sameer5762

    sameer5762 Elite Member

    Joined:
    Sep 23, 2009
    Messages:
    5,228
    Likes Received:
    1,468
    Occupation:
    Software engineer
    Location:
    http;//sameer5762.com
    Home Page:
    Thanks for notifying us....:)