Tuesday, June 10, 2014

MPOS (cryptocurrencies mining portal) XSS

During another "sprint code review" session I found a simple XSS in MPOS JSONP handling. MPOS is a web based mining portal for various crypto currencies written in PHP.



Vulnerable is callback parameter introduced in this commit. (note: Content-Type response header is text/html)

Attacker needs a valid api key. Usually he can get it by just signing up to a pool.

Example:
https://pool/index.php?callback=XSS&page=api&action=getuserstatus&api_key=VALID_API_KEY

Found and reported: 25.05.2014
Fixed: 10.06.2014

Ps. It was introduced after more or less security-related discussion here.

2 comments:

  1. Thanks for your marvelous posting! I truly enjoyed reading it, you will be
    a great author.I will make certain to bookmark your blog and definitely
    will come back in the future. I want to encourage yourself to continue your great job, have
    a nice day!
    Pakar Seo | ★ Pakar Seo | ★ Pakar Seo

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete