[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] vulnerabiltiy clasification
From: "Luis Matus" <matus.investiga () gmail ! com>
Date: 2008-12-03 20:15:58
Message-ID: eb1a496f0812031215w2aef1fe8p9f84fbce37d273ae () mail ! gmail ! com
[Download RAW message or body]
I'ts even worse, If i set the parameter foto=
" ></td><script>alert(1)</script>
the page becomes vulnerable to XSS.
2008/12/3 Luis Matus <matus.investiga@gmail.com>
> Well, I forgot to mention that if you include an url like
> http://www.google.com.ni, no image it's displaye but the source code of
> the pages contains this:
>
> <img src="http://www.google.com.ni/" >
>
> Instead of malicious url I've submited http://www.google.com.ni. So no
> mather what parameter I sen the site will always put
>
> <img src= (my parameter)>
>
> Any new thougs?
>
> By the way, thanks a lot,
>
>
> 2008/12/3 Prasad Shenoy <prasad.shenoy@gmail.com>
>
> > You are right. I did not read the entire email but just looked that
> >
> > the parameter accepting a URL and acting on it, atleast from what the
> > author wrote:
> >
> > "As you can see the variable foto receives an URL as a parameter,
> > so I can modify it and instead of photourl/vma002a.jpg I could send
> > http://malicious.url.com"
> >
> > What's with the URL? It seems like the script is looking for relative
> > paths. In that case, including a URL should generate an error. If that
> > is possible anyhow and the author has established it, then there is a
> > chance that the script has an ability to look for remote files or
> > files on other sites (flick etc.), download them in real time and
> > attach them as part of the email that goes out. In that case, you can
> > do a redirect definitely. But, unless I know more about the actual
> > vulnerability I would stick to your word "Abuse of functionality"
> >
> > Thanks
> > Prasad
> >
> >
> > On Wed, Dec 3, 2008 at 12:20 PM, MustLive <mustlive@websecurity.com.ua>
> > wrote:
> > > Hello Luis!
> > >
> > > > Hi, how would you call this vulnerability, the site : www.siteurl.comhas
> > > > a service to send postals to any email address.
> > >
> > > This is Abuse of Functionality. It is vulnerability class from WASC
> > > classification and such vulnerabilities belong to this class.
> > >
> > > > http://www.siteurl.com/postals/select.asp?foto=*photourl/vma002a.jpg*
> > >
> > > You can also test, if it's possible to put into parameter foto not only
> > URL,
> > > but also text.
> > >
> > >
> > http://www.siteurl.com/postals/select.asp?foto=It's%20spam.%20Click%20on%20this%20 \
> > link:%20http://bad.site<http://www.siteurl.com/postals/select.asp?foto=It%27s%20spam.%20Click%20on%20this%20link:%20http://bad.site>
> >
> > >
> > > Which will allow use of this service for sending of spam ;-).
> > >
> > > Besides, Luis, I have feeling that Insufficient Anti-automation
> > > vulnerability is also present at that site, which will allow for
> > automatic
> > > sending of spam.
> > >
> > > > I have heard this referred to as URL Tampering.
> > >
> > > Blain, it's Abuse of Functionality as I said before.
> > >
> > > > Phishing through URL Redirection.
> > >
> > > Prasad, it isn't redirection, because this script (as I see from Luis'
> > > description) is not redirector. It's Abuse of Functionality.
> > >
> > > One of examples of such Abuse of Functionality vulnerabilities (which
> > allow
> > > arbitrary email sending) is at www.ibm.com, as I wrote at my site:
> > > http://websecurity.com.ua/2027/. Where I wrote about Cross-Site
> > Scripting,
> > > Insufficient Anti-automation and Abuse of Functionality vulnerabilities
> > at
> > > www.ibm.com (and they ignored my notification and didn't fix holes).
> > >
> > > Best wishes & regards,
> > > MustLive
> > > Administrator of Websecurity web site
> > > http://websecurity.com.ua
> > >
> > >
> > ----------------------------------------------------------------------------
> > > Join us on IRC: irc.freenode.net #webappsec
> > >
> > > Have a question? Search The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/archive/
> > >
> > > Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
> > Feed]
> > >
> > > Join WASC on LinkedIn
> > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > >
> > >
> >
> >
> >
> > --
> > Ah! the joy of hacking....
> >
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >
>
[Attachment #3 (text/html)]
I'ts even worse, If i set the parameter foto= <br>" \
></td><script>alert(1)</script> <br><br>the page becomes \
vulnerable to XSS. <br><br><div class="gmail_quote">2008/12/3 Luis Matus <span \
dir="ltr"><<a href="mailto:matus.investiga@gmail.com">matus.investiga@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">Well, I forgot to \
mention that if you include an url like <a href="http://www.google.com.ni/" \
target="_blank">http://www.google.com.ni</a>, no image it's displaye but \
the source code of the pages contains this:<br> <br>
<img src="<a href="http://www.google.com.ni/" \
target="_blank">http://www.google.com.ni/</a><div>" > <br> \
<br>Instead of malicious url I've submited <a href="http://www.google.com.ni/" \
target="_blank">http://www.google.com.ni</a>. So no mather what parameter I sen the \
site will always put<br><br><img src= (my parameter)> <br>
<br>Any new thougs?<br>
<br>By the way, thanks a lot,</div><br><br></div><div class="gmail_quote"><div \
class="Ih2E3d">2008/12/3 Prasad Shenoy <span dir="ltr"><<a \
href="mailto:prasad.shenoy@gmail.com" \
target="_blank">prasad.shenoy@gmail.com</a>></span><br> </div><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;"> You are right. I did not read the entire email but \
just looked that<div><div></div><div class="Wj3C7c"><br> the parameter accepting a \
URL and acting on it, atleast from what the<br> <div>author wrote:<br>
<br>
"As you can see the variable foto receives an URL as a \
parameter,<br> so I can modify it and instead of photourl/vma002a.jpg I could \
send<br> <a href="http://malicious.url.com" \
target="_blank">http://malicious.url.com</a>"<br> <br>
</div>What's with the URL? It seems like the script is looking for relative<br>
paths. In that case, including a URL should generate an error. If that<br>
is possible anyhow and the author has established it, then there is a<br>
chance that the script has an ability to look for remote files or<br>
files on other sites (flick etc.), download them in real time and<br>
attach them as part of the email that goes out. In that case, you can<br>
do a redirect definitely. But, unless I know more about the actual<br>
vulnerability I would stick to your word "Abuse of functionality"<br>
<br>
Thanks<br>
<font color="#888888">Prasad<br>
</font><div><div></div><div><br>
<br>
On Wed, Dec 3, 2008 at 12:20 PM, MustLive <<a \
href="mailto:mustlive@websecurity.com.ua" \
target="_blank">mustlive@websecurity.com.ua</a>> wrote:<br> > Hello Luis!<br>
><br>
>> Hi, how would you call this vulnerability, the site : <a \
href="http://www.siteurl.com" target="_blank">www.siteurl.com</a> has<br> >> a \
service to send postals to any email address.<br> ><br>
> This is Abuse of Functionality. It is vulnerability class from WASC<br>
> classification and such vulnerabilities belong to this class.<br>
><br>
>> <a href="http://www.siteurl.com/postals/select.asp?foto=*photourl/vma002a.jpg*" \
target="_blank">http://www.siteurl.com/postals/select.asp?foto=*photourl/vma002a.jpg*</a><br>
><br>
> You can also test, if it's possible to put into parameter foto not only \
URL,<br> > but also text.<br>
><br>
> <a href="http://www.siteurl.com/postals/select.asp?foto=It%27s%20spam.%20Click%20on%20this%20link:%20http://bad.site" \
target="_blank">http://www.siteurl.com/postals/select.asp?foto=It's%20spam.%20Click%20on%20this%20link:%20http://bad.site</a><br>
><br>
> Which will allow use of this service for sending of spam ;-).<br>
><br>
> Besides, Luis, I have feeling that Insufficient Anti-automation<br>
> vulnerability is also present at that site, which will allow for automatic<br>
> sending of spam.<br>
><br>
>> I have heard this referred to as URL Tampering.<br>
><br>
> Blain, it's Abuse of Functionality as I said before.<br>
><br>
>> Phishing through URL Redirection.<br>
><br>
> Prasad, it isn't redirection, because this script (as I see from \
Luis'<br> > description) is not redirector. It's Abuse of \
Functionality.<br> ><br>
> One of examples of such Abuse of Functionality vulnerabilities (which allow<br>
> arbitrary email sending) is at <a href="http://www.ibm.com" \
target="_blank">www.ibm.com</a>, as I wrote at my site:<br> > <a \
href="http://websecurity.com.ua/2027/" \
target="_blank">http://websecurity.com.ua/2027/</a>. Where I wrote about Cross-Site \
Scripting,<br> > Insufficient Anti-automation and Abuse of Functionality \
vulnerabilities at<br> > <a href="http://www.ibm.com" \
target="_blank">www.ibm.com</a> (and they ignored my notification and didn't fix \
holes).<br> ><br>
> Best wishes & regards,<br>
> MustLive<br>
> Administrator of Websecurity web site<br>
> <a href="http://websecurity.com.ua" \
target="_blank">http://websecurity.com.ua</a><br> ><br>
> ----------------------------------------------------------------------------<br>
> Join us on IRC: <a href="http://irc.freenode.net" \
target="_blank">irc.freenode.net</a> #webappsec<br> ><br>
> Have a question? Search The Web Security Mailing List Archives:<br>
> <a href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br> ><br>
> Subscribe via RSS: <a href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br> \
><br> > Join WASC on LinkedIn<br>
> <a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br> ><br>
><br>
<br>
<br>
<br>
</div></div><div>--<br>
Ah! the joy of hacking....<br>
<br>
</div><div><div></div><div>----------------------------------------------------------------------------<br>
Join us on IRC: <a href="http://irc.freenode.net" \
target="_blank">irc.freenode.net</a> #webappsec<br> <br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br> <br>
Subscribe via RSS:<br>
<a href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br> <br>
Join WASC on LinkedIn<br>
<a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br> <br>
</div></div></div></div></blockquote></div><br>
</blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic