| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 03 Feb 2010 10:10:55 +0100
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugs@...uritytracker.com, news@...uriteam.com,
full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
packet@...ketstormsecurity.org, bugtraq@...urityfocus.com
Subject: [ISecAuditors Security Advisories] Facebook HTML
and Script code injection vulnerability
=============================================
INTERNET SECURITY AUDITORS ALERT 2010-001
- Original release date: January 8th, 2010
- Last revised: February 3rd, 2010
- Discovered by: Juan Galiana Lara
- Severity: 6.3/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Facebook HTML and Script code injection vulnerability
II. BACKGROUND
-------------------------
Facebook is a social networking website that is operated and privately
owned by Facebook, Inc. Users can add friends and send them messages,
and update their personal profiles to notify friends about themselves.
Additionally, users can join networks organized by city, workplace,
school, and region. The website's name stems from the colloquial name
of books given at the start of the academic year by university
administrations with the intention of helping students to get to know
each other better.
III. DESCRIPTION
-------------------------
The mobile interface of Facebook social network is affected by
Cross-Site Scripting vulnerability due variable "q" is not properly
sanitized in http://m.facebook.com/friends.php.
An attacker can inject HTML or script code in the context of victim's
browser, so can perform XSS attacks, and steal cookies of a targeted user.
IV. PROOF OF CONCEPT
-------------------------
http://m.facebook.com/friends.php?q=%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, this can leverage to steal user targeted cookies.
VI. SYSTEMS AFFECTED
-------------------------
Facebook
VII. SOLUTION
-------------------------
Corrected
VIII. REFERENCES
-------------------------
http://www.facebook.com
http://www.isecauditors.com
http://juangaliana.blogspot.com
IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
January 8, 2010: Initial release.
February 3, 2010: Last revision.
XI. DISCLOSURE TIMELINE
-------------------------
January 2, 2010: Discovered by Internet Security Auditors.
January 9, 2010: Vendor contacted including PoC. No response.
January 11, 2010: Second contact. No response.
January 19, 2010: Third contact. No response.
January 20, 2010: Vulnerability corrected without any
kind of contact.
January 31, 2010: Response from Facebook Security member
requiring info.
February 3, 2010: Sent to lists for public interest.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists