lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 3 May 2007 09:03:29 -0400 (EDT)
From: jeremy borne <jeremy_borne_again@...oo.ca>
To: full-disclosure@...ts.grok.org.uk
Subject: XSS in secure.somethingawful.com at Something
	Awful AGAIN.

A NEW shocking, disturbing and horrifying expose on: 

Something Awful
http://somethingawful.com

          This edition: Radium's unforgivable sins -- A Regression!

This report is brought to you by: Buttes. What have you had in your butte today?
--------------------------------------------------------------------------------

BACKGROUND:
Sass members post a previous XSS to FD. What happens? They disable the feature.
Something Awful no longer accepts donations.

Sass members, knowing full well that former site admin Radium was massively
incompetent and didn't understand escaping user input decided to try other
fields on secure.somethingawful.com

ORIGINAL POST by slowtax:

In the (http://sass.buttes.org/forum/viewtopic.php?id=523) last thread I showed
you the XSS vuln in Something Awful's donation form. Turns out as soon as
somebody posted it on:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/53329 
Full Disclosure, instead of fixing the underlying problem, they just removed the
https://secure.somethingawful.com/forumsystem/index.php?item=donate
page from the site.

This was a retarded thing to do, and I now present you with XSS in 
https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title

Simply fill the "User title is for" form in with
<script>alert(document.cookie);</script> and fill the e-mail address with
something that looks legit.

Remember kids, this is all thanks to radium's great session rewrite allowing
cookies from *.somethingawful.com :D


DESCRIPTION:
Unchecked string in https://secure.somethingawful.com

EXPLOIT:
1. Go to https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title
2. Enter anything for a username and a legitimate-looking email address.
3. Enter <script>alert(document.cookie);</script> in the "User title is for" field.

RESULT:
Session cookie for any user for SomethingAwful.com. This allows for a trivial
session hijack.

CAUSE:
Recently, in his infinite brilliance and vastly superior knowledge of website
security and web design, Kenneth decided to change all cookies for users of
the website to be for the domain *.somethingawful.com. This means that forum
session cookies are now available to any subdomain of somethingawful.com.
Presumably this was done out of sheer laziness, with no consideration for the
possible threat to security.

KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,
          Incompetence, Goons, Failure, Idiocy
          
E-PROPS TO: Slowtax, SASS: The Something Awful Sycophant Squad
           (http://sass.buttes.org) for finding this.

REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=4240 (free registration
       required).


       
---------------------------------
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. 
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ