http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2001-11/0240.html From: John Scimone <email@example.com> To: firstname.lastname@example.org Subject: Re: Audiogalaxy again (Cross Site Scripting Vuln) Date: Wed, 28 Nov 2001 16:51:21 -0500 Message-Id: <0111281651210A.email@example.com> I just took a 2 second look at audiogalaxy for other ways to get this plaintext cookie and realized that they probably have numerous cross site scripting problems being such a dynamic site. Some parsing appears to be done on user input however this user search script looks partially vulnerable so you don't have to worry about IE bugs and can grab linux user's names and passwords also. I'm sure there are others just by looking at their site layout but I don't have the time to mess with it. (No! ) Ex: http://www.audiogalaxy.com/user/userSearch.php?SID=34b1859xxxxx0da9ff0cbxxxxx&userSearch=foo%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%22bar&searchOption=exact (Copy & paste this link to try it out! or click here: http://tinyurl.com/csagt) (Must be logged in to try - Username: treemonkey59, Password: stevebrown11) Like Michael stated in an earlier bugtraq post users should chose their passwords wisely and not use the same password for hotmail and mp3 sharing sites as they do to pay their bills online. John Scimone CS Major @ Ga Tech .... So, John Scimone found a way to display our own login details on our own computer. Even though AG is long dead, I'm studying PHP and the way it works. How would I be able to view another person's login just as you were able to look at your own login details (being treemonkey's account) with the same type of link? How would I edit this link so I can view another user's login details or is it even possible at all?