|Main Archive Page > Month Archives > full-disclosure-uk archives|
A NEW shocking, disturbing and horrifying expose on:
This edition: Radium's unforgivable sins -- A Regression!
This report is brought to you by: Buttes. What have you had in your butte today?
Sass members post a previous XSS to FD. What happens? They disable the feature. Something Awful no longer accepts donations.
Sass members, knowing full well that former site admin Radium was massively incompetent and didn't understand escaping user input decided to try other fields on secure.somethingawful.com
ORIGINAL POST by slowtax:
In the (http://sass.buttes.org/forum/viewtopic.php?id=523) last thread I showed
you the XSS vuln in Something Awful's donation form. Turns out as soon as
somebody posted it on:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/53329 Full Disclosure, instead of fixing the underlying problem, they just removed the https://secure.somethingawful.com/forumsystem/index.php?item=donate page from the site.
This was a retarded thing to do, and I now present you with XSS in https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title
Simply fill the "User title is for" form in with <script>alert(document.cookie);</script> and fill the e-mail address with something that looks legit.
Remember kids, this is all thanks to radium's great session rewrite allowing cookies from *.somethingawful.com :D
Unchecked string in https://secure.somethingawful.com
EXPLOIT: 1. Go to https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title 2. Enter anything for a username and a legitimate-looking email address. 3. Enter <script>alert(document.cookie);</script> in the "User title is for" field.
Session cookie for any user for SomethingAwful.com. This allows for a trivial session hijack.
Recently, in his infinite brilliance and vastly superior knowledge of website security and web design, Kenneth decided to change all cookies for users of the website to be for the domain *.somethingawful.com. This means that forum session cookies are now available to any subdomain of somethingawful.com. Presumably this was done out of sheer laziness, with no consideration for the possible threat to security.
KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,
Incompetence, Goons, Failure, Idiocy
E-PROPS TO: Slowtax, SASS: The Something Awful Sycophant Squad
(http://sass.buttes.org) for finding this.
REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=4240 (free registration
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers.