Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Rude.com - a possible future victim of xss worms
Posted by: 2fingers
Date: January 25, 2009 10:26AM

Rude.com is an online adult community with a large number of members. Its pretty heavy and stuffed with alot of features in their desire to unite several adult services into one large site. Such features as porn videos, amateur videos, amateur live cams, private cams, social network, xxx games etc., seem to manage to attract some attention to it.

Yet, visiting rude.com can be a hazard for you. Why?

You can insert javascript in any comments box of each profile. I dont mean inserting the script in your own profile but the possibility to do this with ALL the profiles on the website.

The method is extremely simple. With your comment, add <img src=”" onerror=”evil javascript code”>, which gets executed everytime someone sees that profile. Example: <img src=”" onerror=”alert(1)”>.

This vulnerability is extremely dangerous for rude.com users especailly when we know there are payed services on the website. Wouldn’t want to be one of their paying members.

Suppose you are a paying client and want to see a live xxx show. You buy some chips (credit) and while you do that, your session cookie gets stolen. Next thing you know, your card is being used by someone else. And here you are faced with two options:

1. You dont notice that and you dont take any counter measure.

2. You notice and make a chargeback and the model and the website loses their money. Your credit score is affected, the website gets a bad reputation and the model is left with no money.

Of course this kind of vulnerability can be used for phishing, generate traffic on other websites or to hide some XSS attacks targeting other websites (yahoo, gmail, ebay, paypal etc.).

The possiblity to insert an XSS worm is extremely simple and the owners of this website know about this isue for over a year and still, nobody seems to bother.

http://hackersblog.org - only full disclosures [updated daily]

Options: ReplyQuote
Re: Rude.com - a possible future victim of xss worms
Posted by: PaPPy
Date: January 25, 2009 12:00PM

maybe its time to have a lil fun :D
well for someone since i put out my worm paper, maybe someone can get some good ideas

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Rude.com - a possible future victim of xss worms
Posted by: RonPaul
Date: October 04, 2009 02:41PM

well i got there attention
http://sla.ckers.org/forum/read.php?3,26267,26268#msg-26268

seems to be fixing some of the stuff

Options: ReplyQuote


Sorry, only registered users may post in this forum.