Since its patched now, Here is some live XSS on gaiaonline.

Printable View

25 Sep. 2011, 07:58pm
Aleena

Since its patched now, Here is some live XSS on gaiaonline.

http://www.youtube.com/watch?v=glCMpXANmXY

Found it the other day.
Told XiRaX about it earlier today, And as of about....5 minutes ago, Patched.

But, for those of you in underground silver who saw my documenting of XSS properties in gaiaonline, this should give you some insight.

It worked out Very well, In this video I only did two demonstrations, One was the html of gaia`s cashshop history viewer (AKA email exploit) And the other was just the d8silo index.

Amazing how quick gaia is at patching, Probably a good thing too, This could have raised some hell.
25 Sep. 2011, 08:00pm
The Unintelligible

Smooth move, Aleena.
25 Sep. 2011, 08:02pm
XiRaX

Everything we touch on Gaia get's patched. We should of took action while we had the chance.
25 Sep. 2011, 08:02pm
Aleena

Quote:

Originally Posted by The UnIntelligible

Smooth move, Aleena.

Fix`d
thankies sir.

Edit:
Fixed XXS
25 Sep. 2011, 10:30pm
Skrillex

Quote:

Originally Posted by The UnIntelligible

Smooth move, Aleena.

Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member. :EmoteSerious:
25 Sep. 2011, 10:38pm
Taz

Quote:

Originally Posted by Skrillex

Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member. :EmoteSerious:

Huh. ?
25 Sep. 2011, 10:42pm
Aleena

Quote:

Originally Posted by Skrillex

Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member. :EmoteSerious:

...? I dont think he was insulting me o.0
Though if he was *shrugs* Whatever he needs to feel good about himself.

Its not like I dont have a handfull of other exploits still functional.

Here are some of my toys found and patched in the last two months
--------------------------------------
Banning users from flashgames using moddog
Admin panel access
Email / cash purchase history lookup
Send false ban requests in moddog
Cashshop editor
Create secondary password
Crypto bypass method for secondary password
Enabling / Disabling admin panel functions for public use
Enabling / Disabling test server public use.
Editing / Creating pages in gaiaonline
Editing event pages
And today, XSS through the event editing page

Hell, There are still exploits not patched.
(Only posting one which I posted publicly last week, Others stay UG)
http://gaiaonline.com/admin/flash/vj_utils.swf

And dont worry, I will toss out some more stuff in UG in the near future, Just trying to decide what would be a good one to start with that wouldn't adversely effect the others.
25 Sep. 2011, 11:01pm
The Unintelligible

Quote:

Originally Posted by Skrillex

Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member. :EmoteSerious:

Wasn't what I meant by 'smooth move', but OK.
Anyways, just an FYI - I've been here longer than you have.
25 Sep. 2011, 11:10pm
Skrillex

Quote:

Originally Posted by The UnIntelligible

Wasn't what I meant by 'smooth move', but OK.
Anyways, just an FYI - I've been here longer than you have.

Just a FYI Looks like you made a account and left. Then came back all of a sudden. Date you joined doesn't mean anything.
25 Sep. 2011, 11:39pm
The Unintelligible

Quote:

Originally Posted by Skrillex

Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member. :EmoteSerious:

Oh, but it does mean something when you directly stated that I'm a new member. Which was false, might I add. Something ironic to throw on-top of that is the fact that I've been here longer than you, which gives you no sense of entitlement whatsoever to tell me what you told me.
25 Sep. 2011, 11:50pm
Skrillex

Quote:

Originally Posted by The UnIntelligible

Oh, but it does mean something when you directly stated that I'm a new member. Which was false, might I add. Something ironic to throw on-top of that is the fact that I've been here longer than you, which gives you no sense of entitlement whatsoever to tell me what you told me.

You know. I like your user title. The UnIntelligible
I'm new
26 Sep. 2011, 01:12am
Drakonid

Kids, don't make me lock another thread.
26 Sep. 2011, 01:16am
Skrillex

Quote:

Originally Posted by Drakonid

Kids, don't make me lock another thread.

I sowwy Drak. I be good now. Okz? I just wanted my opinion to go out.
26 Sep. 2011, 02:00am
The Unintelligible

Yee. We don't want a 1337 thread like this being locked, now do we?
But just so you know, Skrill, your opinion(s) will and always will be absolutely meaningless. Just putting that out there so you know that what you said/say isn't worth getting this thread locked over.
26 Sep. 2011, 02:03am
Omlett

I lol'd .
26 Sep. 2011, 02:37am
Skrillex

Quote:

Originally Posted by The UnIntelligible

Yee. We don't want a 1337 thread like this being locked, now do we?
But just so you know, Skrill, your opinion(s) will and always will be absolutely meaningless. Just putting that out there so you know that what you said/say isn't worth getting this thread locked over.

You said the right word for u coming in here like u are god..... Meaningless
26 Sep. 2011, 03:52am
XiRaX

Just stop this shit, holy fuck.
26 Sep. 2011, 12:10pm
Aleena

Quote:

Originally Posted by Drakonid

Kids, don't make me lock another thread.

Thanks drak, You know I dont like my threads closed.

Everyone kiss and makeup now.