Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Spammer Vengence
Posted by: tx
Date: February 13, 2007 05:39PM

I happen to have a couple myspace pages to promote my music. And like all myspace users I constantly receive unsolicited spam messages and add request for products and services I have no interest in or use for.
Now personally, I make it a point to reply to every single one (essentially saying, 'why do you think I would care about your product?', etc.) Generally they either ignore my message or occaisonally try to argue with me (always fun!)
So anyway, I engaged in one such conversation with a guy ( http://www.myspace.com/showyourplace ), and I took it upon myself to check out his website. http://showyourplace.com
besides stumbling across open directory listings (http://www.showyourplace.com/includes/ ), I eventually came unto this: http://www.showyourplace.com/test/includes/inc_admin_toolbar.php
clicking on the users link allows someone to not only delete the active users, but login as anyone without having to input anything.
To make it more interesting, if you login as a user, and change account settings, the data user name field (and maybe the others) is not cleaned at all, meaning persistant xss.

So the $64 question is: What would you do?

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Spammer Vengence
Posted by: SystemOfAHack
Date: February 13, 2007 07:15PM

lmao, if they were trying to sell you some real estate then pwn. Well at least if they are genuinely irritant. If it was thoughtless spam sent or they're just generally pricks, then hack away... worm, anyone?

the majority of referrers seem to be myspace.com profiles, plus sla.ckers is listed :p

Man, there's actually quite a wealth of information there, nice pwning; I would have spent a while looking for RFIs and such before giving up.

Options: ReplyQuote
Re: Spammer Vengence
Posted by: Luny
Date: February 13, 2007 11:08PM

What would you do.... or what did I just do?

oops.

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Options: ReplyQuote
Re: Spammer Vengence
Posted by: SystemOfAHack
Date: February 14, 2007 05:37PM

Damn, did I miss something? Anyway all the dirs aforementioned are forbidden now :p
Did anyone actually do anything to it or what? And most importantly, are you still getting spammed?

Options: ReplyQuote
Re: Spammer Vengence
Posted by: tx
Date: February 14, 2007 05:43PM

@SystemOfAHack: Mr. Spammer and I were able to reach an understanding, and he patched up the security issues... well at least the ones I included in my post.

-tx @ lowtech-labs.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.