Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XSS in secure.somethingawful.com at Something Awful AGAIN.

From: jeremy borne <jeremy_borne_again () yahoo ca>
Date: Thu, 3 May 2007 09:03:29 -0400 (EDT)
A NEW shocking, disturbing and horrifying expose on: 

Something Awful
http://somethingawful.com

          This edition: Radium's unforgivable sins -- A Regression!

This report is brought to you by: Buttes. What have you had in your butte today?
--------------------------------------------------------------------------------

BACKGROUND:
Sass members post a previous XSS to FD. What happens? They disable the feature.
Something Awful no longer accepts donations.

Sass members, knowing full well that former site admin Radium was massively
incompetent and didn't understand escaping user input decided to try other
fields on secure.somethingawful.com

ORIGINAL POST by slowtax:

In the (http://sass.buttes.org/forum/viewtopic.php?id=523) last thread I showed
you the XSS vuln in Something Awful's donation form. Turns out as soon as
somebody posted it on:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/53329 
Full Disclosure, instead of fixing the underlying problem, they just removed the
https://secure.somethingawful.com/forumsystem/index.php?item=donate
page from the site.

This was a retarded thing to do, and I now present you with XSS in 
https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title

Simply fill the "User title is for" form in with
<script>alert(document.cookie);</script> and fill the e-mail address with
something that looks legit.

Remember kids, this is all thanks to radium's great session rewrite allowing
cookies from *.somethingawful.com :D


DESCRIPTION:
Unchecked string in https://secure.somethingawful.com

EXPLOIT:
1. Go to https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title
2. Enter anything for a username and a legitimate-looking email address.
3. Enter <script>alert(document.cookie);</script> in the "User title is for" field.

RESULT:
Session cookie for any user for SomethingAwful.com. This allows for a trivial
session hijack.

CAUSE:
Recently, in his infinite brilliance and vastly superior knowledge of website
security and web design, Kenneth decided to change all cookies for users of
the website to be for the domain *.somethingawful.com. This means that forum
session cookies are now available to any subdomain of somethingawful.com.
Presumably this was done out of sheer laziness, with no consideration for the
possible threat to security.

KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,
          Incompetence, Goons, Failure, Idiocy
          
E-PROPS TO: Slowtax, SASS: The Something Awful Sycophant Squad
           (http://sass.buttes.org) for finding this.

REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=4240 (free registration
       required).


       
---------------------------------
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: