Tuesday, June 10, 2014

MPOS (cryptocurrencies mining portal) XSS

During another "sprint code review" session I found a simple XSS in MPOS JSONP handling. MPOS is a web based mining portal for various crypto currencies written in PHP.

Vulnerable is callback parameter introduced in this commit. (note: Content-Type response header is text/html)

Attacker needs a valid api key. Usually he can get it by just signing up to a pool.


Found and reported: 25.05.2014
Fixed: 10.06.2014

Ps. It was introduced after more or less security-related discussion here.


  1. This comment has been removed by a blog administrator.

  2. Additionally, an online installment by means of Bitcoin doesn't expect you to fill in insights regarding your own data. Henceforth, Bitcoin handling Bitcoin exchanges is much easier than those helped out through U.S. Ledgers and Mastercards. bitcoin mixer

  3. The pictures, numbers, or letters gamers see in a slot machine are what’s generally known as|often identified as} symbols. Common symbols utilized in slot machines are fruits, bells, 7’s, and bars, among others. Players win primarily based on what number of} of those symbols could be matched on a payline. Those winlines pay the participant primarily based on their bet 카지노사이트.online per line they bet on i.e. A participant could be on a single line to win or 25 strains to win at varying amounts per line.