full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] XSS in secure.somethingawf

[Full-disclosure] XSS in secure.somethingawful.com at Something Awful AGAIN.

From: jeremy borne <jeremy_borne_again_at_nospam>
Date: Thu May 03 2007 - 13:03:29 GMT
To: full-disclosure@lists.grok.org.uk

A NEW shocking, disturbing and horrifying expose on:

Something Awful

          This edition: Radium's unforgivable sins -- A Regression!

This report is brought to you by: Buttes. What have you had in your butte today?

Sass members post a previous XSS to FD. What happens? They disable the feature. Something Awful no longer accepts donations.

Sass members, knowing full well that former site admin Radium was massively incompetent and didn't understand escaping user input decided to try other fields on secure.somethingawful.com

ORIGINAL POST by slowtax:

In the (http://sass.buttes.org/forum/viewtopic.php?id=523) last thread I showed you the XSS vuln in Something Awful's donation form. Turns out as soon as somebody posted it on:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/53329 Full Disclosure, instead of fixing the underlying problem, they just removed the https://secure.somethingawful.com/forumsystem/index.php?item=donate page from the site.

This was a retarded thing to do, and I now present you with XSS in https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title

Simply fill the "User title is for" form in with <script>alert(document.cookie);</script> and fill the e-mail address with something that looks legit.

Remember kids, this is all thanks to radium's great session rewrite allowing cookies from *.somethingawful.com :D

Unchecked string in https://secure.somethingawful.com

EXPLOIT: 1. Go to https://secure.somethingawful.com/forumsystem/index.php?item=others_custom_title 2. Enter anything for a username and a legitimate-looking email address. 3. Enter <script>alert(document.cookie);</script> in the "User title is for" field.

Session cookie for any user for SomethingAwful.com. This allows for a trivial session hijack.

Recently, in his infinite brilliance and vastly superior knowledge of website security and web design, Kenneth decided to change all cookies for users of the website to be for the domain *.somethingawful.com. This means that forum session cookies are now available to any subdomain of somethingawful.com. Presumably this was done out of sheer laziness, with no consideration for the possible threat to security.

KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft, Incompetence, Goons, Failure, Idiocy E-PROPS TO: Slowtax, SASS: The Something Awful Sycophant Squad (http://sass.buttes.org) for finding this. REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=4240 (free registration required). ---------------------------------
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/