lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Feb 2005 08:05:23 -0600
From: Jonathan Rockway <jrockw2@....edu>
To: bugtraq@...urityfocus.com
Subject: XSS Vulnerability at thefacebook.com


XSS Vulnerability at thefacebook.com

Not surprisingly, ``thefacebook'' <http://www.thefacebook.com/> 
contains an XSS hole.  Basically, the signup form for paid 
announcements lets you add a school to display the announcement at.  
The script that adds the school accepts the name of the school as the 
"add" argument.  Any HTML can be injected here, leading to an XSS 
exploit.  Here's a sample injection:

http://www.thefacebook.com/announce.php?step=1&add=
<script>
var c = document.cookie;
alert("Security hole. ");
document.write("Your cookie is: <b>");
document.write(c);
document.write("</b>.<br><br><h1><font color=red>All of your personal 
information has been compromised.</b></font></h1></html>");
</script>

(pretty printed for easy analysis; put everything on one line to test 
this)

This can be used to steal a user's session cookie if you can convince 
him to click the link.  That should be easy since thefacebook.com often 
sends e-mails saying "click here to join XYZ group".  Just make one 
look convincing and you can conceivably obtain the personal information 
of anyone at the school that that user attends.  Seems like an 
excellent way to harvest e-mail addresses, cell phone numbers, AIM 
screennames, etc.

Obviously you would need to modify the above script to do this; the 
code above prints the user's cookie, displays a dialog that says 
"Security hole.", and writes "All of your personal information has been 
compromised." to the screen in a scary red font.

For those just tuning in, the usual way of exploiting XSS holes is to 
load an image or iframe from a site you control with the output of 
document.cookie in the URL somewhere.  Then you can extract the stolen 
cookies from your access log.  Even more fun is load a remote perl 
script and send the cookie as the argument.  Then your script can call 
curl --cookie "example=cookie" and get a privileged page.  Then you can 
parse it and display key facts back to the user (via an iframe). For 
example, you could write: "Your personal information has been stolen.  
Your girlfriend's phone number is 123.456.7890"  Perhaps this will 
teach users not to supply their personal information to an insecure, 
untrusted site that presumably profits from allowing other people to 
view this information!

In addition, it also seems like this hole can allow you to get a 
discount on their advertising rates.  For example, adding the school 
named 'Ill.%20Chicago%20<b>' will reduce the ad rate from $12 to $10 
(at the time of this writing; the web form looked like it would have 
let me pay $10 for an ad at "Ill. Chicago").

The latest version of this advisory is available at:
<http://www.uic.edu/~jrockw2/20050207_facebook.txt>

Regards,
-- 
Jonathan Rockway <jrockway@...puter.org>
Student - University of Illinois at Chicago
http://www.uic.edu/~jrockw2/index.html



Powered by blists - more mailing lists