AOH :: HP Unsorted A :: TB10123.HTM

Another XSS vulnerability in italian Libero.it



Another XSS vulnerability in italian Libero.it
Another XSS vulnerability in italian Libero.it



Permanent Url:  

After the report of Rosario Valotta on this ML, another XSS vulnerability
has been found on Libero.it, one of the most important italian ISP
(www.libero.it). 

Nothing more than a trivial error but, since Libero.it staff used the
printed media to inform that Rosario's find was just a "spot" issue, it is
important to demonstrate that this kind of errors are quite more
widespread and to let the Libero staff and management realize that a
potential attack must be avoid by a deep check of the portal.

The vulnerability once again can be found in the "Community" section
of Libero portal, and the affected functionality is the profile
creation and retrieval

. 

The implementation of this functionality allows the injection of
malicious code in the profile, so that an attacker by visiting his/her
profile can:

1) steal username (in cookie)
2) steal cookies
3) arbitrary redirection for Phishing purpose

The normal URL would be something linked like this:

http://digiland.libero.it/profilo.phtml?nick=Nick&top=1 

where "Nick" is the name of the nick whose profile has been
manipulated or crafted to add arbitrary code.

This vulnerability closely resemble to those in MySpace and other
communities.
So it's nothing really complicated and you can skip on from here on ;)

In admin pages (need to be logged by creating a fake account) on page

http://digiland.libero.it/profilo_add.php?nocache=1175076655 

there are two different fields named "I miei difetti:" (my defects)
and "i miei pregi:" (my strong points) that accept arbitrary content.

As stated by Rosario, the Libero.it web application performs a simple
parsing of the posted content, so that quote and double-quote (' and ")
chars are escaped by putting a \ before of them (both using ASCII and URL
encoding).

While I already had the Rosario's beautiful implementation of a simple
evasion technique I preferred to encode the single char in an old
snippet of mine.
The aim of the snippet (I don't remember if I made it, stole it, stole
only the main idea or where, sorry)  is to transform a string into a
series of char numbers to be used with a String.fromCharCode command.
Due to the limitation in size, the function which create the
String.fromCharCode sequence is a detached and ascii value is
decreased of 100 to limit the number of digits.
This is the creation snippet:

 

So URL "http://www.lastknight.com" is rendered as: 

e(4)+e(16)+e(16)+e(12)+e(-42)+e(-53)+e(-53)+e(19)+e(19)
+e(19)+e(-54)+e(8)+e(-3)+e(15)+e(16)+e(7)+e(10)+e(5)+e(3)
+e(4)+e(16)+e(-54)+e(-1)+e(11)+e(9);


Using the tho box we can use the following code for a POC:

 [BOX 1]
 

 [BOX 2]
 

The posting url can be easily modified to an http grabber such as:

 

Just my 2 cents and thanks to:

 for the first report, upon which this is based
 for help in JS ;)
 for consultancy and typo-killing ;)


Greetings,

MgpF


Permanent Url:  

-- 
Matteo G.P. Flora | mf@matteoflora.com | www.MatteoFlora.com 
pgp F3B6BC10 | blog www.LastKnight.com | M1S3c | OPSI 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.