Few months ago, I have discovered an security flaw in BLOG beta web application on www.blog.hr. Blog.hr has been notified of the flaw around 3 months ago and I have recieved compensation in form of banner advertising for the problem description. Since I haven't recieved an answer to my request to make this public in more than few weeks, I will disclose it now. As much as I can see, they haven't fixed it yet. This advisory is provided under the policy documented at http://www.wiretrip.net/rfp/policy.html.
Here is the explanation.
While editing a blog, user can access HTML code of the template. JavaScript code is not filtered in any way. We insert the following code inside the HEAD html section:
This is a regular XSS+CSRF attack, where the browser, instead of trying to get an image, sends the cookie data of the guest user. If the user is logged on, the cookies are sent to the attacker server via GET parameter.
Csrf.php script is a modified HTTP client class (http://www.phpclasses.org/browse/package/576.html). The script creates HTTP post request to change BOX-4 section of the victims blog (www.blog.hr/edit/?page=blogeditor&menu=2,3) while inserting recieved cookie data into the request header and setting the valid referer field. When the request is recieved on blog.hr, it seems like it is valid.
BOX-4 can also be used for defacement, with a code like:
Also, JavaScript can be inserted inside BOX-4 section, so the code could propagate pretty fast.
Here is the video:
Here are the files:
PHP class
PHP script
JS code for XSS
4 comments:
Hi there.Can you upload your video to some file hosting website ?Like :
http://www.mediafire.com etc..
I can see your tut.
Thank and your tut is so good.
Hi,
I believe you should be able to see the video.. If there is a problem with playing it, I'll try to find the video and upload it somewhere else..
Nice fill someone in on and this enter helped me alot in my college assignement. Gratefulness you on your information.
I am reading this article second time today, you have to be more careful with content leakers. If I will fount it again I will send you a link
Post a Comment