Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Fotolog.net cross-site scripting vulnerabilities [RLSA_05-2004]

from [Jerome ATHIAS] Network Security [Permanent Link]
Subject: Fotolog.net cross-site scripting vulnerabilities [RLSA_05-2004]
Date: 23 Nov 2004 13:03:35 -0000 


                *** rfdslabs security advisory ***

Title: Fotolog.net cross-site scripting vulnerabilities [RLSA_05-2004]
Date: 17 Nov 2004

Author: Julio Cesar Fort <julio at rfdslabs com br>
        Rafael Silva <rafaelsilva at rfdslabs com br>

         <!> Warning: This advisory contains lots of sarcasm <!>

1. Introduction

   Fotolog.net is the most popular photo sharing service with almost 1 million
users around the world (in special Brazil, with lots of posers).
Everybody knows brazilians take over everything free on internet. Once we are
brazilians we decided to take a look at Fotolog.net service in a security way.

2. Details

   Cross-site scripting (XSS) vulnerabilities were found in Fotolog.net. The
result of a well-suceeded exploitation is cookie stealing, tricking users into
fake webpages and other nasty actions.
Combined with browsers flaws (just like URL spoofing technique) is possible to
make it more realistic. This way, many users will be give away their passwords.

Cross-site attacks occours in many Fotolog.net scripts such as the following:

--- vulnerable scripts ---

http://www.fotolog.net/about.html?user=&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://ubbibr.fotolog.net/by_state.html?s=&lt;script&gt;document.write("<h2>rfdslabs</h2>")&lt;/script&gt;
http://my.fotolog.net/email_to_a_friend.html?user=&lt;script&gt;document.location
 = "http://www.rfdslabs.com.br"&lt;/script&gt;

--- vulnerable scripts ---

2.1 Posers' nightmare

   "Beauty and intelligence are inversely proportional". These words of Joaquim
Correa, the poet of rfdslabs, describe well what happens.
The worst nightmare of a poser is to lose his/her Fotolog account. With Fotolog
he/she can share his/her beauty, make friends and even get chicks/dudes!
Acctualy he/she is not so beautiful anyway. But, who cares? Yes, we can fake!
Cool effects, blur, shade, bright, black and white! God save Photoshop!
Add me then I add you. Glamourous and glitter life still goes on...

   rfdslabs will not release any dangerous proof-of-concept code. Anyway, you
can excercite your creativity to write tricky html "traps" to steal cookies, get
passwords and other nasties.

3. Solution

   Fotolog was contacted in 17th November. No solution yet.

4. Timeline

Someday in 2003: Vulnerability detected;
03 Nov 2004: Vulnerability re-detected;

Posers, don't worry about us. We are just kidding.

www.rfdslabs.com.br - computers, sex, human mind, music and more
Recife, PE, Brazil
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Fotolog.net cross-site scripting vulnerabilities [RLSA_05-2004], Jerome ATHIAS <=
Previous by Date:  RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability, Sherlock, Nathan
Next by Date:  Re: Changes to the filesystem while find is running - comments?, James Youngman
Previous by Thread:  RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability, Sherlock, Nathan
Next by Thread:  [Full-Disclosure] Prozilla Remote Exploit, Serkan Akpolat
Indexes:  [Date] [Thread] [Top] [All Lists]