Full Disclosure mailing list archives
Re: Verisign Login Hijacking
From: Jeremiah Cornelius <jeremiah () nur net>
Date: Thu, 25 Sep 2003 16:29:14 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 25 September 2003 08:23, SoloNet Newsfeed wrote: <SNIP>
The example format that Verisign uses whch allows for login-less access to the account administration (which, back in the good old days, required e-mail verification, Crypt-PW or even PGP, makes this laughable) Enjoy folks, here's your example URL: https://www.networksolutions.com/en_US/manage-it/domain-detail.jhtml;jsessi onid=XXXXXXXXXXXXXXXXXXXXXXX?accountId=11111111&instanceId=AA.B.22222222&hom e=true&_requestid=33333
<SNIP> This also opens: https://www.networksolutions.com/en_US/popexit/popstealth.html cookie hell, 6 Month expiration: [.networksolutions.com] www.networksolutions.com "" "/" 1067121331 200 poppr ot 0 https: www.networksolutions.com "" "/" 1067121331 200 popse en 0 seen www.networksolutions.com "" "/" 2143238400 200 vrsns f 0 3P3RTLQGSKAHSCWLEALSFFA I use Konqueror, under KDE, and the page stays open in a separate tab, instead of closing. Cookie hell. Source below: ______________________________________________________________ <html> <head> <title>NetworkSolutions Consumer Insight</title> </head> <script language=javascript> var agt=navigator.userAgent.toLowerCase(); var major=(agt.indexOf('6',0)); var client=(agt.indexOf("msie")); if (client>0) {window.moveTo(1000,1000);} else { } </script> <script language="javascript"> function getCookie(NameOfCookie) { if (document.cookie.length > 0) { begin = document.cookie.indexOf(NameOfCookie+"="); if (begin != -1) { begin += NameOfCookie.length+1; end = document.cookie.indexOf(";", begin); if (end == -1) end = document.cookie.length; return unescape(document.cookie.substring(begin, end)); setCookie(NameOfCookie,true,1); } } return null; } //function for setting a cookie. function setCookie(name, value, expires, path, domain, secure) { document.cookie = name + "=" + escape(value) + ((expires == null) ? "" : "; expires=" + expires.toGMTString()) + ((path == null) ? "" : "; path=" + path) + ((domain == null) ? "" : "; domain=" + domain) + ((secure == null) ? "" : "; secure"); return true; } // Expire date assigment (6 Months) var expiredate; expiredate=new Date; expiredate.setMonth(expiredate.getMonth()+1); // Writing the cookie , when the user sees the pop up. document.cookie="popseen=seen;expires="+expiredate.toGMTString()+";path=/;"; document.cookie="popprot="+location.protocol +";expires="+expiredate.toGMTString()+";path=/;"; var url = "://www.networksolutions.com/en_US/popexit/ popstealth2.html?adName="; function error1() { url = url + document.F1.T3.value; prot=getCookie("prot"); if (prot=="https:") { url = "http"+url; location.href= url; } else { url = "https"+url; location.href= url; } } function error2() { url = url + document.F1.T3.value; prot=getCookie("prot"); if (prot=="https:") { url = "http"+url; location.href= url; } else { url = "https"+url; location.href= url; } } </script> <body onerror="error1()"> <form name="F1"> <input type="hidden" name="T1" value="0" size="66"> <input type="hidden" name="T2" value="0" size="66"> <input type="hidden" name="T3" value="1" size="66"> <p><font face="Verdana" color="#5B7997">NetworkSolutions Consumer Insight</ font></p> </form> <p> </p> </body> <script language=javascript> var agt=navigator.userAgent.toLowerCase(); var major=(agt.indexOf('6',0)); var client=(agt.indexOf("msie")); if (major>0 && client>0) //{setInterval('vbcheckfx()',1000)} {setInterval('checkfx()',1000)} else {setInterval('checkfx()',1000)} function checkfx() { setCookie("prot",top.location.protocol); var x=window.opener.location; document.F1.T1.value=x; var y = document.F1.T1.value; if (y.indexOf('manage-it')>1 && document.F1.T3.value< 3) { document.F1.T3.value=2; } if (y.indexOf('order-receipt')>1){ document.F1.T3.value=3; } window.onerror=error1; if((document.F1.T1.value).indexOf('object')>=1) {error2();} } function openfx() { location.href="http://www.networksolutions.com/en_US/popexit/zone-live.html"; } </script> <script language="vbscript"> sub vbcheckfx() dim x on error resume next x=window.opener.document.title document.F1.T1.value=x if err.number <> 0 then 'errval=1 errx=getCookie("errcnt") if errx="1" then openfx err.clear 'self.close else document.cookie="errcnt=1;expires="+expiredate.toGMTString()+";path=/;" popprot=getCookie("popprot") if popprot="https:" then location.href "http://www.networksolutions.com/en_US/popexit/ popstealth.html" else location.href "https://www.networksolutions.com/en_US/popexit/ popstealth.html" end if end if else document.cookie="errcnt=0;expires="+expiredate.toGMTString()+";path=/;" 'errval=0 end if end sub </script> </html> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/c3pKJi2cv3XsiSARArwjAKC4wko+G8UpuEVpmWuAApELfqhtEgCg2Wlf CpLqDpCZM2dlRGUJy7KfM3A= =0JUx -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Verisign Login Hijacking SoloNet Newsfeed (Sep 25)
- Re: Verisign Login Hijacking Jeremiah Cornelius (Sep 25)
- Re: Verisign Login Hijacking David A. Koran (Sep 25)
- Re: Verisign Login Hijacking Jonathan A. Zdziarski (Sep 25)
- Re: Verisign Login Hijacking David A. Koran (Sep 25)
- Re: Verisign Login Hijacking Jeremiah Cornelius (Sep 25)