A shocking, disturbing and horrifying expose on
____ __ _ ___ ___ __
/ __/__ __ _ ___ / /_(_)__ ___ _ / _ |_ __/ _/_ __/ /
_\ \/ _ \/ ' \/ -_) __/ / _ \/ _ `/ / __ | |/|/ / _/ // / /
/___/\___/_/_/_/\__/\__/_/_//_/\_, / /_/ |_|__,__/_/ \_,_/_/
/___/ This edition: Radium's unforgivable
sins
This report is brought to you by: Buttes. What have you had in your butte
today?
--------------------------------------------------------------------------------
BACKGROUND:
Meet Radium. Seemingly a typical user handle for a forum. Convenient to
hide
behind, and creative compared to "DiQuELiCkUr69" or similar popular forum
handles.
This is the handle of Kenneth Stumpf, the administrator of Something
Awful.
Those who follow Something Awful's drama are well aware that he was
recently
"fired" from his position as an administrator at Something Awful. This has
been
debunked as a blatant lie on the part of the administration team, not
totally
unexpectedly, since any sane human being realizes that Richard "Lowtax"
Kyanka
is a compulsive liar and crook.
In light of these recent developments it was thought prudent to disclose a
very
disturbing XSS exploit found in SomethingAwful's "Secure" ordering system.
Every "goon" (derrogatory nickname for a SomethingAwful user) must use
this very
broken and insecure system to perform their day-to-day transactions on the
website, such as registering an acccount (at a cost of $10), purchasing an
avatar image (an additional $10), purchasing the ability to search for
previous
posts (an additional $10), purchasing an emoticon (an additional $35) or
when purchasing a banner ad (usually at $10 per ad, depending on the
purpose).
DESCRIPTION:
Unchecked string in https://secure.somethingawful.com
EXPLOIT:
1. Go to
https://secure.somethingawful.com/forumsystem/index.php?item=donate
2. Enter anything for a username and a legitimate-looking email address.
3. Enter <script>alert(document.cookie);</script> in the Donate field.
RESULT:
Session cookie for any user for SomethingAwful.com. This allows for a
trivial
session hijack.
CAUSE:
Recently, in his infinite brilliance and vastly superior knowledge of
website
security and web design, Kenneth decided to change all cookies for users
of
the website to be for the domain *.somethingawful.com. This means that
forum
session cookies are now available to any subdomain of somethingawful.com.
Presumably this was done out of sheer laziness, with no consideration for
the
possible threat to security.
KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,
Incompetence, Goons, Failure, Idiocy
E-PROPS TO: SASS: The Something Awful Sycophant Squad (
http://sass.buttes.org)
for finding this.
REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=523 (free
registration
required).
=
Industrial Power Products
Industrial batteries and chargers for forklifts - parts, accessories,
safety items, and handling equipment.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=fb7d9bc44fd159097c65a6251bd721df
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
