Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
IFPI.org - multiple vulnerabilities
Posted by: Vektor
Date: May 16, 2009 05:59AM

Some screenshots with vulnerable pages:





More information (screenshots, proof of concept) here: [nemesis.te-home.net]

Options: ReplyQuote
Re: IFPI.org - multiple vulnerabilities
Posted by: Spyware
Date: May 16, 2009 07:15AM

Erh, what?

Options: ReplyQuote
Re: IFPI.org - multiple vulnerabilities
Posted by: PaPPy
Date: May 16, 2009 11:11AM

im glad im not the only one confused

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: IFPI.org - multiple vulnerabilities
Posted by: thrill
Date: May 16, 2009 11:39AM

it's 42. But you could add saffron for taste.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: IFPI.org - multiple vulnerabilities
Posted by: PaPPy
Date: May 16, 2009 12:40PM

why dont people just post it in the full disclosure thread?
if i created a new thread for every xss page ive found, it would be a whole page 1 of posts from pappy

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: IFPI.org - multiple vulnerabilities
Posted by: Vektor
Date: May 16, 2009 12:56PM

All parameters from everywhere on their website are flawed. Some can be used for XSS / others can be used to make negative payments / etc. The screenshots I posted here show only the XSS bugs from a few pages - you can paste an entire website in their forms.
Example of XSS for 2nd screenshot: http://www.ifpi.org/content/section_resources/RIN/RIN-orderFailed.asp?crypt=YgAIUTwkHht2IQAdCHAaG0AXCVs0aHYHXDhEC0E1WQ0JRxZaID8+ClogXhlXP1oEQREDDic5OlkFdQgdUzgPWA8HB1Y4MTgMQCAAQhYqUw4UEBRZe3FlAFogEB1bOBoBWQQBUCB5KAQFfkoSRSsSQRRQVhBzIiUTFTwBCFAtQUVMXhFcNyIiWQJ4VAhNd1gJRgIPW2lnfBNNbgUNQSMOGFUBAlw9MXBTFX9SCE13F1YIBgNbJzM4XQkaJTp5CRULWAQVRm50IgZUKgEKF2xWDVgJFUUyNSMNUnNGSBdsVg1YCRZUNzIjDVJzRkgXbEYdWQgHRypraAtQLwAdR24VClsXAlAha2hTF3BYLGdsQwlYDAFbbnQpBls6AQoXcgk8cEUVQSo6L14XLAUbXitHB0ELAhgwOSYMR3RHHVApF1YIDAtScyU4AAhsDAxBPA9HGxIRQn03LRBQIAcKTDxBAVsLFRswOSdMXCgUEWorA10GVEhXPiZoXQlhMDwLcGEsFBYSTD8zd0FXLwcTUj5aHVoBS1Y8OiURD20BHVBuFQlYDAFbbnQpBls6AQoXbEMJWAwBW250KAxBOgsVF3IJDlsLEhUgPzAGCGxVSBdyZR1GBg5UIDNqF10rRCpQL1oaUAwIUnMfJAdAPRAKTGxcBhQrE1gxMzgQFXxUSAxwGg5bCxILb3keJwtySyxncglHYCQkeRZodid8GEQLQTVZDQlHBFQwPS0RWjsKHBgvWgRbF1wWNTAsWBdwWBAHcnQMQgQIVjZ2JRFRKxYLFSNFDVpFSxUhMzoMRzpED1wgWUhWAEZHNjovAkYrAFhaIhVaAxEOFR43M18aJlZGCSpaGllFCFQ+M3dBRTsWG10tRg0WRQtQJz4lBwhsFBdGOBdIVQYSXDw4d0FXLxcTUDgbCUcVRAtvIisBWStEG1AgWRhVAQJcPTF3QQZsRA9cKEEACUdXBWNzaF0JOhZGCThRSFUJD1I9ayYGUzpEDlQgXA9aWAVQPSI4BhUsAxtaIFoaCUdFUzUwLAVTbEQLQTVZDQlHBVo/OThZFW1STgV8BlsPR1gJNz88Q1QiDR9bcVkNUhFYFW80dCVAIghYB3wFURQXA0U8JD5DGG7HTQB8CUdWW1oaNz88XQkmFlhGJU8NCVRGWzwlIgJRK0QbWiBaGglHRQVjZnpTBWxaRHwBckhHFwUIcT4+F0V0S1dWNVcNRgsDQT0zPRAbLQsVGjtFRVcKCEE2OD5MQD4IF1QoRkcGVVYCfGd7TEcnBRkYOFoBWAASGCM3OgZHYA4IUm4VCVgRWxdxeXRfGjoARgk4UVYIBxQLbzQ4XQksFkYJPAshWgYKQDczOVkJYRRGCSBcVmQhIBUlMzgQXCEKRBogXFYICQ8LGzc4BxUtCwhMbFgJXQkDUXM0M0NcIBAdRyJUHF0KCFQ/dikMQDwNHUdsCQpGW0YVc3ZiDEduFwhQL1wJWEUCUD8/PAZHN0QPXDhdAVpFM356amUPXHBYFFxycxpRAEZWPCYzQ1ooRAxdKRVaBFVeFSEzOgxHOkQXW2xHDUUQA0YndnZMWSdaRFc+C1RWF1gJMSR0X1EnElhUIFwPWlhERzoxIhcXcFgaCxxZDVUWAxU6ODkGRzpECUAtWxxdER8VJzlqAlEqRAxabFcJRw4DQW95KF0JJwoIQDgVHE0VAwhxAi8bQWxEFlQhUFUWFw9bDDg/DhduEhlZOVBVFlVEFSA/MAYIfEQVVDRZDVoCEl1udHhBFT0QAVkpCEpWChRRNiRnEEE3CB0PbEYHWAwCDnM0JRFRKxZVQiVRHFxfRgQjLnFDVyEWHFA+GAtbCQlHaXZpVAR2VUwDdxUKVQYNUiE5Pw1RYwcXWSNHUhRGIHMVEAwlDm4QHU04GAlYDAFbaXY4ClImEEMXbFoGdgkTR250KQtQLQ8pQC1bHF0RD1AgfmNYF3BYGkdyFVRWF1gVbz8kE0A6RAxMPFBVFjYTVz4/PkEVIAUVUHEXG0EHC1wndGoVVCIRHQhudgRdBg0VOzM4BhU6C1hAPFEJQABGVzIlIQZBbEQLQTVZDQlHBUAhJSURD24MGVsoDkhWChRRNiRnEEE3CB0PbFodQBYDQWh2KAxHKgEKGDtcDEANXBViJjJYFSwLClEpR0VXCgpaIWxqQAN4VEgGfw5IVgQFXjQkJRZbKkkbWiBaGg5FRQNlZnpQBnVEG1ogWhoORUVzFRAMJXN1RB5aIkFFQwAPUjsicENXIQgcDmxCAVARDg9zZHpTRTZfWhUjWyVbEBVQHCAvEQhsEBBcPxsbQBwKUH01JQ9aPFlfFnoDWARWVRJoIiIKRmAXDEwgUEZWBAVeNCQlFlsqJxdZI0dVE0YjcBYTDyYSdRcdWSobG0AEEkAga20gWScHExU4Wkh1AQIVJzlqIVQ9Dx1Baw4aURETRz12PhFAK19aFSNbJVsQFVAcIz5eFzoMEUZiRhxNCQMbMDkmDEdzQ1tzCnMuciNBDic+IxAbPRABWSkbClUGDVIhOT8NUQ0LFFo+CE8XU1AFY2V5RA49ARRTYkYcVRETRm5xbVhHKxANRyIVHEYQAw5xaHZMUScSRgljQQwKWUlBIWh2TEEvBhRQcglHYCFYCXwCGF0JYTA5dwBwVhIzNmYHLgMHCDVcTAZ1cCxwIEsNF259TgwKUj4YewxaDEgkBhJkCyIMDFZIdHtITmcRB0EmJXcqexglNHwIEztABBJAIBIvF1QnCEUGfAZaFF9GYTszaiJYIREWQWxTB0YIB0FzPzlDXCASGVklUUYUQydjABUcUQhoJRxRPlAbRzcDRiY6Pl4THgsLQQ9aDFE3A0YmOj5eEw0ySmcpRh1YEVsTFD8sF3QnAEUTf3E7UQYTRzYFPgJBOxdFEw9UGlAxH0U2a2wvVD0QTHElUgFAFlsTEjslFls6WVUBeQVGBFU=

Options: ReplyQuote
Re: IFPI.org - multiple vulnerabilities
Posted by: Vektor
Date: May 19, 2009 12:35AM

Those who look at the last link I posted can see that it has only 1 parameter "crypt" which is encrypted. This is because I went to the payment failure link with a fake VendorTxCode parameter as if it was returned by SagePay.
After studying SagePay's shared scripts, I saw that VendorTxCode parameter is one of the parameters that is not checked against XSS. All websites that use those scripts or have code copy+pasted from those scripts inherited also the vulnerabilities associated with them. These include XSS and SQL injection (the SQLSafe function is not that safe).
And a flaw in SagePay makes it possible to find the password for any given "crypt" string and to fake the payment status (it's funny how they put "simple XOR" and "secure" in the same sentence).

More details about these problems here: [nemesis.te-home.net].

Options: ReplyQuote


Sorry, only registered users may post in this forum.