Tuesday, June 10, 2014

MPOS (cryptocurrencies mining portal) XSS

During another "sprint code review" session I found a simple XSS in MPOS JSONP handling. MPOS is a web based mining portal for various crypto currencies written in PHP.

Vulnerable is callback parameter introduced in this commit. (note: Content-Type response header is text/html)

Attacker needs a valid api key. Usually he can get it by just signing up to a pool.


Found and reported: 25.05.2014
Fixed: 10.06.2014

Ps. It was introduced after more or less security-related discussion here.


  1. Thanks for your marvelous posting! I truly enjoyed reading it, you will be
    a great author.I will make certain to bookmark your blog and definitely
    will come back in the future. I want to encourage yourself to continue your great job, have
    a nice day!
    Pakar Seo | ★ Pakar Seo | ★ Pakar Seo

  2. This comment has been removed by a blog administrator.