Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
What is this?
Posted by: SW
Date: January 31, 2007 12:50AM

Does this fall under XSS?? Or anything? Maybe just sheer stupidity?

This site hosts tons of greasemonkey scripts. Then let you put custom descriptions and they don't filter out very much. All you need is src pointing to the very file that they are hosting for you on their server as the source. :-S

Would be pretty easy to replace every logged in user's files and malicious file description with my own through their nifty update feature.

[userscripts.org]

Options: ReplyQuote
Re: What is this?
Posted by: Anonymous User
Date: January 31, 2007 04:53AM

Nice find! Classic persistent XSS.

Options: ReplyQuote
Re: What is this?
Posted by: WhiteAcid
Date: January 31, 2007 08:02AM

Picture this scenario:
a greasemonkey works on example.com. It takes the variable x from the querstring and puts it through eval(). You find an XSS flaw on example.com

In that case you could abuse the script they have installed and perform JS in the context if greasemonkey. Using GM's API you can call cross domain AJAX calls which is effectively the mhtml flaw.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: What is this?
Posted by: bubbles
Date: January 31, 2007 08:37AM

Awesome find!

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: What is this?
Posted by: SW
Date: January 31, 2007 09:58AM

Imagine if the javascript detected all of your userscripts on the site with xmlhttp on your profile (if logged in), sent the links (script numbers) to a remote server through a form and iframe, the server automatically adds malicious code to each of the scripts and rehosts them temporarily (if they haven't been done already), and then javascript 'updates' each of the victim's scripts from our server (site allows this w/o changing anything else). We could also add our original javascript line to the victim's file descriptions (as we start out with) so it spreads like a worm essentially until all of the scripts on the site are infected.

Any problem with this scenario? Then we would have many users using greasemonkey scripts with malicious code embedded in it and that sweet GM_xmlhttprequest. We could execute arbitrary js from remote sources and etc etc. I imagine we could exploit many other similar problems by simply using our infected greasemonkey scripts. :-)

@whiteacid This is good idea but you would have to go looking through popular greasemonkey scripts to find vulnerabilities that coincide with your XSS exploit which seems like a lot of hard work.

Options: ReplyQuote
Re: What is this?
Posted by: WhiteAcid
Date: January 31, 2007 11:48AM

I had a look at a few scripts, some try to work on any subdomain so they are set to work on htt p://*.amazon.* or something along those lines, which means it also works on htt p://www.mysite.com/?amazon.foo.
But yeah, finding a usable script is hard, especially as it's not easy to tell if the script is poppular or not.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: What is this?
Posted by: rsnake
Date: February 03, 2007 07:10PM

Wow... that's pretty bad. Yet another piece of evidence that proves that the plugins are the cause of much of the browser's insecurity.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What is this?
Posted by: trev
Date: February 13, 2007 10:30AM

They fixed it. From what I can tell they now parse the HTML code and then serialize it again while only allowing certain tags and attributes. The src attribute appears to be filtered by protocol. No obvious holes there.

Options: ReplyQuote
Re: What is this?
Posted by: SW
Date: February 14, 2007 09:52AM

trev Wrote:
-------------------------------------------------------
> They fixed it. From what I can tell they now parse
> the HTML code and then serialize it again while
> only allowing certain tags and attributes. The src
> attribute appears to be filtered by protocol. No
> obvious holes there.


Yea. -.-

I was looking but couldn't find any new one. They only allow a couple tags now.

Options: ReplyQuote


Sorry, only registered users may post in this forum.