<<< Date Index >>>     <<< Thread Index >>>

Fotolog.net cross-site scripting vulnerabilities [RLSA_05-2004]




                *** rfdslabs security advisory ***

Title: Fotolog.net cross-site scripting vulnerabilities [RLSA_05-2004]
Date: 17 Nov 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>
        Rafael Silva <rafaelsilva at rfdslabs com br>

         <!> Warning: This advisory contains lots of sarcasm <!>

1. Introduction

   Fotolog.net is the most popular photo sharing service with almost 1 million
users around the world (in special Brazil, with lots of posers).
Everybody knows brazilians take over everything free on internet. Once we are
brazilians we decided to take a look at Fotolog.net service in a security way.

2. Details

   Cross-site scripting (XSS) vulnerabilities were found in Fotolog.net. The
result of a well-suceeded exploitation is cookie stealing, tricking users into
fake webpages and other nasty actions.
Combined with browsers flaws (just like URL spoofing technique) is possible to
make it more realistic. This way, many users will be give away their passwords.

Cross-site attacks occours in many Fotolog.net scripts such as the following:

--- vulnerable scripts ---

http://www.fotolog.net/about.html?user=&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://ubbibr.fotolog.net/by_state.html?s=&lt;script&gt;document.write("<h2>rfdslabs</h2>")&lt;/script&gt;
http://my.fotolog.net/email_to_a_friend.html?user=&lt;script&gt;document.location
 = "http://www.rfdslabs.com.br"&lt;/script&gt;

--- vulnerable scripts ---

2.1 Posers' nightmare

   "Beauty and intelligence are inversely proportional". These words of Joaquim
Correa, the poet of rfdslabs, describe well what happens.
The worst nightmare of a poser is to lose his/her Fotolog account. With Fotolog
he/she can share his/her beauty, make friends and even get chicks/dudes!
Acctualy he/she is not so beautiful anyway. But, who cares? Yes, we can fake!
Cool effects, blur, shade, bright, black and white! God save Photoshop!
Add me then I add you. Glamourous and glitter life still goes on...

   rfdslabs will not release any dangerous proof-of-concept code. Anyway, you
can excercite your creativity to write tricky html "traps" to steal cookies, get
passwords and other nasties.

3. Solution

   Fotolog was contacted in 17th November. No solution yet.

4. Timeline

Someday in 2003: Vulnerability detected;
03 Nov 2004: Vulnerability re-detected;

Posers, don't worry about us. We are just kidding.

www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil