Re: Severe vulnerability in https://secure.somethingawful.com

[evilrabbi <evilrabbi () gmail com>]

haha.. classic...

On 4/25/07, Pedro Martinez <sassycophants () cyberdude com> wrote:
> A shocking, disturbing and horrifying expose on
>     ____               __  _             ___         ___     __
>    / __/__  __ _  ___ / /_(_)__  ___ _  / _ |_    __/ _/_ __/ /
>   _\ \/ _ \/  ' \/ -_) __/ / _ \/ _ `/ / __ | |/|/ / _/ // / /
> /___/\___/_/_/_/\__/\__/_/_//_/\_, / /_/ |_|__,__/_/ \_,_/_/
>                               /___/  This edition: Radium's unforgivable
> sins
>
> This report is brought to you by: Buttes. What have you had in your butte
> today?
>
> --------------------------------------------------------------------------------
>
> BACKGROUND:
> Meet Radium. Seemingly a typical user handle for a forum. Convenient to
> hide
> behind, and creative compared to "DiQuELiCkUr69" or similar popular forum
> handles.
>
> This is the handle of Kenneth Stumpf, the administrator of Something
> Awful.
> Those who follow Something Awful's drama are well aware that he was
> recently
> "fired" from his position as an administrator at Something Awful. This has
> been
> debunked as a blatant lie on the part of the administration team, not
> totally
> unexpectedly, since any sane human being realizes that Richard "Lowtax"
> Kyanka
> is a compulsive liar and crook.
>
> In light of these recent developments it was thought prudent to disclose a
> very
> disturbing XSS exploit found in SomethingAwful's "Secure" ordering system.
> Every "goon" (derrogatory nickname for a SomethingAwful user) must use
> this very
> broken and insecure system to perform their day-to-day transactions on the
> website, such as registering an acccount (at a cost of $10), purchasing an
> avatar image (an additional $10), purchasing the ability to search for
> previous
> posts (an additional $10), purchasing an emoticon (an additional $35) or
> when purchasing a banner ad (usually at $10 per ad, depending on the
> purpose).
>
> DESCRIPTION:
> Unchecked string in https://secure.somethingawful.com
>
> EXPLOIT:
> 1. Go to
> https://secure.somethingawful.com/forumsystem/index.php?item=donate
> 2. Enter anything for a username and a legitimate-looking email address.
> 3. Enter <script>alert(document.cookie);</script> in the Donate field.
>
> RESULT:
> Session cookie for any user for SomethingAwful.com. This allows for a
> trivial
> session hijack.
>
> CAUSE:
> Recently, in his infinite brilliance and vastly superior knowledge of
> website
> security and web design, Kenneth decided to change all cookies for users
> of
> the website to be for the domain *.somethingawful.com. This means that
> forum
> session cookies are now available to any subdomain of somethingawful.com.
> Presumably this was done out of sheer laziness, with no consideration for
> the
> possible threat to security.
>
> KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,
>           Incompetence, Goons, Failure, Idiocy
>
> E-PROPS TO: SASS: The Something Awful Sycophant Squad  (
> http://sass.buttes.org)
>             for finding this.
>
> REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=523 (free
> registration
>            required).
>
>
> =
> Industrial Power Products
> Industrial batteries and chargers for forklifts - parts, accessories,
> safety items, and handling equipment.
>
> http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=fb7d9bc44fd159097c65a6251bd721df
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



--
-- h0 h0 h0 --
www.nopsled.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/