[<prev] [next>] [day] [month] [year] [list]
Message-ID: <641511.28965.qm@web63202.mail.re1.yahoo.com>
Date: Thu, 3 May 2007 09:03:29 -0400 (EDT)
From: jeremy borne <jeremy_borne_again@...oo.ca>
To: full-disclosure@...ts.grok.org.uk
Subject: XSS in secure.somethingawful.com at Something
Awful AGAIN.
A NEW shocking, disturbing and horrifying expose on:
Something Awful
http://somethingawful.com
This edition: Radium's unforgivable sins -- A Regression!
This report is brought to you by: Buttes. What have you had in your butte today?
--------------------------------------------------------------------------------
BACKGROUND:
Sass members post a previous XSS to FD. What happens? They disable the feature.
Something Awful no longer accepts donations.
Sass members, knowing full well that former site admin Radium was massively
incompetent and didn't understand escaping user input decided to try other
fields on secure.somethingawful.com
ORIGINAL POST by slowtax:
In the (http://sass.buttes.org/forum/viewtopic.php?id=523) last thread I showed
you the XSS vuln in Something Awful's donation form. Turns out as soon as
somebody posted it on:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/53329
Full Disclosure, instead of fixing the underlying problem, they just removed the
https://secure.somethingawful.com/forumsystem/index.php?item=donate
page from the site.
This was a retarded thing to do, and I now present you with XSS in
https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title
Simply fill the "User title is for" form in with
<script>alert(document.cookie);</script> and fill the e-mail address with
something that looks legit.
Remember kids, this is all thanks to radium's great session rewrite allowing
cookies from *.somethingawful.com :D
DESCRIPTION:
Unchecked string in https://secure.somethingawful.com
EXPLOIT:
1. Go to https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title
2. Enter anything for a username and a legitimate-looking email address.
3. Enter <script>alert(document.cookie);</script> in the "User title is for" field.
RESULT:
Session cookie for any user for SomethingAwful.com. This allows for a trivial
session hijack.
CAUSE:
Recently, in his infinite brilliance and vastly superior knowledge of website
security and web design, Kenneth decided to change all cookies for users of
the website to be for the domain *.somethingawful.com. This means that forum
session cookies are now available to any subdomain of somethingawful.com.
Presumably this was done out of sheer laziness, with no consideration for the
possible threat to security.
KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,
Incompetence, Goons, Failure, Idiocy
E-PROPS TO: Slowtax, SASS: The Something Awful Sycophant Squad
(http://sass.buttes.org) for finding this.
REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=4240 (free registration
required).
---------------------------------
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists