Tuesday, June 10, 2014

MPOS (cryptocurrencies mining portal) XSS

During another "sprint code review" session I found a simple XSS in MPOS JSONP handling. MPOS is a web based mining portal for various crypto currencies written in PHP.



Vulnerable is callback parameter introduced in this commit. (note: Content-Type response header is text/html)

Attacker needs a valid api key. Usually he can get it by just signing up to a pool.

Example:
https://pool/index.php?callback=XSS&page=api&action=getuserstatus&api_key=VALID_API_KEY

Found and reported: 25.05.2014
Fixed: 10.06.2014

Ps. It was introduced after more or less security-related discussion here.

3 comments:

  1. Thanks for your marvelous posting! I truly enjoyed reading it, you will be
    a great author.I will make certain to bookmark your blog and definitely
    will come back in the future. I want to encourage yourself to continue your great job, have
    a nice day!
    Pakar Seo | ★ Pakar Seo | ★ Pakar Seo

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Additionally, an online installment by means of Bitcoin doesn't expect you to fill in insights regarding your own data. Henceforth, Bitcoin handling Bitcoin exchanges is much easier than those helped out through U.S. Ledgers and Mastercards. bitcoin mixer

    ReplyDelete