| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20070426011036.95F7410284@ws1-3.us4.outblaze.com>
Date: Wed, 25 Apr 2007 20:10:36 -0500
From: "Pedro Martinez" <sassycophants@...erdude.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Severe vulnerability in
https://secure.somethingawful.com
A shocking, disturbing and horrifying expose on
____ __ _ ___ ___ __
/ __/__ __ _ ___ / /_(_)__ ___ _ / _ |_ __/ _/_ __/ /
_\ \/ _ \/ ' \/ -_) __/ / _ \/ _ `/ / __ | |/|/ / _/ // / /
/___/\___/_/_/_/\__/\__/_/_//_/\_, / /_/ |_|__,__/_/ \_,_/_/
/___/ This edition: Radium's unforgivable sins
This report is brought to you by: Buttes. What have you had in your butte today?
--------------------------------------------------------------------------------
BACKGROUND:
Meet Radium. Seemingly a typical user handle for a forum. Convenient to hide
behind, and creative compared to "DiQuELiCkUr69" or similar popular forum
handles.
This is the handle of Kenneth Stumpf, the administrator of Something Awful.
Those who follow Something Awful's drama are well aware that he was recently
"fired" from his position as an administrator at Something Awful. This has been
debunked as a blatant lie on the part of the administration team, not totally
unexpectedly, since any sane human being realizes that Richard "Lowtax" Kyanka
is a compulsive liar and crook.
In light of these recent developments it was thought prudent to disclose a very
disturbing XSS exploit found in SomethingAwful's "Secure" ordering system.
Every "goon" (derrogatory nickname for a SomethingAwful user) must use this very
broken and insecure system to perform their day-to-day transactions on the
website, such as registering an acccount (at a cost of $10), purchasing an
avatar image (an additional $10), purchasing the ability to search for previous
posts (an additional $10), purchasing an emoticon (an additional $35) or
when purchasing a banner ad (usually at $10 per ad, depending on the purpose).
DESCRIPTION:
Unchecked string in https://secure.somethingawful.com
EXPLOIT:
1. Go to https://secure.somethingawful.com/forumsystem/index.php?item=donate
2. Enter anything for a username and a legitimate-looking email address.
3. Enter <script>alert(document.cookie);</script> in the Donate field.
RESULT:
Session cookie for any user for SomethingAwful.com. This allows for a trivial
session hijack.
CAUSE:
Recently, in his infinite brilliance and vastly superior knowledge of website
security and web design, Kenneth decided to change all cookies for users of
the website to be for the domain *.somethingawful.com. This means that forum
session cookies are now available to any subdomain of somethingawful.com.
Presumably this was done out of sheer laziness, with no consideration for the
possible threat to security.
KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,
Incompetence, Goons, Failure, Idiocy
E-PROPS TO: SASS: The Something Awful Sycophant Squad (http://sass.buttes.org)
for finding this.
REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=523 (free registration
required).
=
Industrial Power Products
Industrial batteries and chargers for forklifts - parts, accessories, safety items, and handling equipment.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=fb7d9bc44fd159097c65a6251bd721df
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists