Tuesday, June 10, 2014

MPOS (cryptocurrencies mining portal) XSS

During another "sprint code review" session I found a simple XSS in MPOS JSONP handling. MPOS is a web based mining portal for various crypto currencies written in PHP.



Vulnerable is callback parameter introduced in this commit. (note: Content-Type response header is text/html)

Attacker needs a valid api key. Usually he can get it by just signing up to a pool.

Example:
https://pool/index.php?callback=XSS&page=api&action=getuserstatus&api_key=VALID_API_KEY

Found and reported: 25.05.2014
Fixed: 10.06.2014

Ps. It was introduced after more or less security-related discussion here.
Posted by at
Labels: , , , , ,

5 comments:

  1. Pakar SeoApril 24, 2017 at 7:32 AM

    Thanks for your marvelous posting! I truly enjoyed reading it, you will be
    a great author.I will make certain to bookmark your blog and definitely
    will come back in the future. I want to encourage yourself to continue your great job, have
    a nice day!
    Pakar Seo | ★ Pakar Seo | ★ Pakar Seo

    ReplyDelete
  2. Grosir Jaket ParkaApril 24, 2017 at 8:08 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  3. ElizebethSeptember 27, 2020 at 9:17 AM

    Additionally, an online installment by means of Bitcoin doesn't expect you to fill in insights regarding your own data. Henceforth, Bitcoin handling Bitcoin exchanges is much easier than those helped out through U.S. Ledgers and Mastercards. bitcoin mixer

    ReplyDelete
  4. AnonymousDecember 5, 2022 at 4:21 AM

    The pictures, numbers, or letters gamers see in a slot machine are what’s generally known as|often identified as} symbols. Common symbols utilized in slot machines are fruits, bells, 7’s, and bars, among others. Players win primarily based on what number of} of those symbols could be matched on a payline. Those winlines pay the participant primarily based on their bet 카지노사이트.online per line they bet on i.e. A participant could be on a single line to win or 25 strains to win at varying amounts per line.

    ReplyDelete
  5. py7tqc0skaJanuary 1, 2023 at 4:54 AM

    There can also be|can be} a trade-off between the RTP and the house edge. Ultimately, by rewarding both events with 카지노사이트 additional cash or tokens, find a way to|you possibly can} encourage gamers to spread the great word about your title. It may even give new users a great first impression, which could be crucial to successful over gamers from your competitors. And video versions will let you work together in numerous ways with the dealer and different gamers to satisfy all gamers' preferences. MBit was the first web site to launch that solely offered trading in Bitcoin and different cryptocurrencies. It doesn't settle for deposits by way of bank cards or different methods.

    ReplyDelete

Subscribe to: Post Comments (Atom)