Re: [Full-disclosure] HomestayFinder XSS Vulnerability in Wikipedia Mirror



http://www.homestayfinder.com/Dictionary.aspx?q=User:Susam_pal/Sandbox
now redirects to
http://www.inglesnoexterior.com/dictionary.aspx?q=User:Susam_pal/Sandbox

Vulnerable script moved to another domain. To protect the cookies of
homestayfinder.com???

Wondering whether this kinda attack would be called persistent XSS or
something else? This is a case where the attack vector goes into one
site and the vector exploits another site. How to classify this?

On 7/11/07, Susam Pal <susam@xxxxxxxx> wrote:
Hi Matjaz,

I just checked it and I find it to be working with the browsers I have
(tested with Firefox 2.0.0.3 and Internet Explorer 7).

http://www.homestayfinder.com/Dictionary.aspx?q=User:Susam_pal/Sandbox
demonstrates the vulnerability.

http://en.wikipedia.org/wiki/User:Susam_pal/Sandbox is the page where
the script is hosted. The script present in Wikipedia exploits the XSS
vulnerability in HomestayFinder's Dictionary.aspx script.

Regards,
Susam Pal

Matjaz Debelak writes:

Well, it does not appear to work for me in any browser (tested Firefox
2.0.0.3 and Konqueror).

LP Killer_X

Susam Pal wrote:
There is an XSS vulnerability in HomestayFinder's 'Dictionary.aspx'
script which is responsible for mirroring the content of Wikipedia. I
found this interesting because here a script injected in one website
exploits an XSS vulnerability in another website.

I am including only a short example to demonstrate the issue. The
complete document is available at:-
http://susam.in/security/advisory-2007-07-11.txt

http://en.wikipedia.org/wiki/User:Susam_pal/Sandbox consists of the
following as the source wiki markup:

<script>alert('XSS Demo')</script>

http://www.homestayfinder.com/Dictionary.aspx?q=User:Susam_pal/Sandbox
consists of the same code as HTML without the special characters encoded
as HTML entities. Hence, the script is executed on the browser of the
visitor.

Contact Information:-
Susam Pal
susam@xxxxxxxx
http://susam.in/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • SecurityFocus Microsoft Newsletter #83
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #84
    ... The most critical piece of vulnerability assessment is remediation. ... MICROSOFT VULNERABILITY SUMMARY ... IcrediBB Script Injection Vulnerability ... WorkforceROI XPede Unprotected Administrative Facilities... ...
    (Focus-Microsoft)
  • Secunia Research: cPanel Entropy Chat Script Insertion Vulnerability
    ... cPanel & WebHost Manager is a next generation web hosting ... Secunia Research has discovered a vulnerability in cPanel, ... Entropy Chat script isn't properly sanitised before being used. ... Discovered by Andreas Sandblad, Secunia Research. ...
    (Bugtraq)
  • [Full-disclosure] Re: Google Groups e-mail disclosure in plain text
    ... I'm anti Secunia, as they host FD, ... 2006-22 Blazix Web Server JSP Source Code Disclosure Vulnerability ... 2006-15 RaidenHTTPD Script Source Disclosure Vulnerability ... 2006-5 NJStar Word Processor Font Name Buffer Overflow ...
    (Full-Disclosure)
  • SecurityFocus Microsoft Newsletter #91
    ... SecurityFocus Microsoft Newsletter #91 ... Multiple Bugzilla Security Vulnerabilities ... Geeklog pid CGI Variable SQL Injection Vulnerability ... Geeklog Calendar Event Form Script Injection Vulnerability ...
    (Focus-Microsoft)