lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <893889.65198.qm@web37212.mail.mud.yahoo.com>
Date: Thu, 7 Dec 2006 23:26:07 -0800 (PST)
From: Rajesh Sethumadhavan <rajesh.sethumadhavan@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Orkut Multiple Cross Site Scripting
	Vulnerabilities

Orkut Multiple Cross Site Scripting Vulnerabilities
   
  #####################################################################
  XDisclose Advisory       : XD100092
Vulnerability Discovered: November 18th 2006
Advisory Released        : December 08th 2006
Credit                          : Rajesh Sethumadhavan
  Class                          : Cross Site Scripting
                                    HTML Injection
Severity                       : Medium
Solution Status            : Unpatched
Vendor                        : Google Inc
Vendor Website           : http://www.orkut.com
Affected applications    : Orkut Services
Affected Platform         : All
  #####################################################################
  
Overview:
Orkut is an Internet social network service run by Google and named
after its creator, Orkut Büyükkökten. It claims to be designed to
help users meet new friends and maintain existing relationships with
pictures and messages, and establish new ones by reaching out to
people you've never met before.
   
  Orkut service is vulnerable to Cross-Site Scripting and HTML
Injection. This is caused due to improper validation of user-supplied
inputs.
  
Description:
A remote attacker can craft a GET request with the XSS payload as
demonstrated below. When the victim clicks on the GET request the
payload will get executed which result in stealing of cookie, IP info,
refer info, browser information, clipboard content, operating system
info, hardware Info, modification of page or html injection, url
redirection, port scanning of the network, and even phishing is
possible.
  1)Orkut Invite XSS:
    The flaws are due to improper sanitization of inputs passed to
  'continue' parameter in GET request
  -------------------------------------------------------------------
  http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie)
  ------------------------------------------------------------------
  Demonstration:
Note: Demonstration leads to your personal information disclosure
  - Login to your orkut account
- Paste the above URL
- Click on BACK button
- Orkut Cookies will get displayed
    The similar way HTML injection is also possible.
    Vulnerable Code:
  ------------------------------------------------------------------
    <td valign="top">
  <table class="btn" border="0" cellpadding="0" cellspacing="0"
  onmouseover="this.className='btnHover'" onmouseout="this.className
  ='btn'">
  <tr style="cursor: pointer;" onclick="window.location='javascript:
  alert(document.cookie)';" id="b0">
  <td><img src="http://images3.orkut.com/img/bl.gif" alt="" /></td>
  <td nowrap style="background: url
  (back'>http://images3.orkut.com/img/bm.gif)">back
  </td>
    ------------------------------------------------------------------
  2)Orkut Next page XSS:
    The flaws are due to improper sanitization of inputs passed to 'nid'
  parameter in GET request. This vulnerability is already fixed 2 days
  before
  Get Request with XSS payload:
  ------------------------------------------------------------------
  http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785&pageSize
  =&na=3&nst=-2&nid=13550271097807907792-%22};%20alert('Xdisclose');%
  20function%20tt(){//
  ------------------------------------------------------------------
    Vulnerable Code:
  ------------------------------------------------------------------
    function changePageSize(value) {
 window.location="/Scrapbook.aspx?uid=3595989687719502785&na=
 1&nst=1&nid=13550271097807907792-"}; alert('Xdisclose');
 function tt(){//&pageSize="+value;
  }
    ------------------------------------------------------------------
  
Solution:
Orkut can improve their filters by disallowing certain characters
like " <>/\?&`~!@...^*()[]|;:"' " in user input URL.
  
Screenshot:
http://www.xdisclose.com/Images/xdorkutinvitexss.jpg
  
Impact:
Successful exploitation allows execution of arbitrary script code in
a user’s browser session in context of an affected site which result
in stealing of cookie, IP info, refer info, browser information,
clipboard content, operating system info, Referer info, hardware Info,
modification of page or html injection (temporary webpage defacement),
modification of page title, hijacking page flow, url redirection, port
scanning of the victim’s network, and even phishing is possible.
  Impact of the vulnerability is network level.
  
Original Advisory:
http://www.xdisclose.com/XD100092.txt
  
Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability
  
Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your own orkut account. I am not liable for any direct or 
indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory.


 
---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ