Full Disclosure mailing list archives
Re: Severe vulnerability in https://secure.somethingawful.com
From: evilrabbi <evilrabbi () gmail com>
Date: Wed, 25 Apr 2007 20:40:28 -0500
haha.. classic... On 4/25/07, Pedro Martinez <sassycophants () cyberdude com> wrote:
A shocking, disturbing and horrifying expose on ____ __ _ ___ ___ __ / __/__ __ _ ___ / /_(_)__ ___ _ / _ |_ __/ _/_ __/ / _\ \/ _ \/ ' \/ -_) __/ / _ \/ _ `/ / __ | |/|/ / _/ // / / /___/\___/_/_/_/\__/\__/_/_//_/\_, / /_/ |_|__,__/_/ \_,_/_/ /___/ This edition: Radium's unforgivable sins This report is brought to you by: Buttes. What have you had in your butte today? -------------------------------------------------------------------------------- BACKGROUND: Meet Radium. Seemingly a typical user handle for a forum. Convenient to hide behind, and creative compared to "DiQuELiCkUr69" or similar popular forum handles. This is the handle of Kenneth Stumpf, the administrator of Something Awful. Those who follow Something Awful's drama are well aware that he was recently "fired" from his position as an administrator at Something Awful. This has been debunked as a blatant lie on the part of the administration team, not totally unexpectedly, since any sane human being realizes that Richard "Lowtax" Kyanka is a compulsive liar and crook. In light of these recent developments it was thought prudent to disclose a very disturbing XSS exploit found in SomethingAwful's "Secure" ordering system. Every "goon" (derrogatory nickname for a SomethingAwful user) must use this very broken and insecure system to perform their day-to-day transactions on the website, such as registering an acccount (at a cost of $10), purchasing an avatar image (an additional $10), purchasing the ability to search for previous posts (an additional $10), purchasing an emoticon (an additional $35) or when purchasing a banner ad (usually at $10 per ad, depending on the purpose). DESCRIPTION: Unchecked string in https://secure.somethingawful.com EXPLOIT: 1. Go to https://secure.somethingawful.com/forumsystem/index.php?item=donate 2. Enter anything for a username and a legitimate-looking email address. 3. Enter <script>alert(document.cookie);</script> in the Donate field. RESULT: Session cookie for any user for SomethingAwful.com. This allows for a trivial session hijack. CAUSE: Recently, in his infinite brilliance and vastly superior knowledge of website security and web design, Kenneth decided to change all cookies for users of the website to be for the domain *.somethingawful.com. This means that forum session cookies are now available to any subdomain of somethingawful.com. Presumably this was done out of sheer laziness, with no consideration for the possible threat to security. KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft, Incompetence, Goons, Failure, Idiocy E-PROPS TO: SASS: The Something Awful Sycophant Squad ( http://sass.buttes.org) for finding this. REFERENCE: http://sass.buttes.org/forum/viewtopic.php?id=523 (free registration required). = Industrial Power Products Industrial batteries and chargers for forklifts - parts, accessories, safety items, and handling equipment. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=fb7d9bc44fd159097c65a6251bd721df _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- -- h0 h0 h0 -- www.nopsled.net
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Severe vulnerability in https://secure.somethingawful.com Pedro Martinez (Apr 25)
- Re: Severe vulnerability in https://secure.somethingawful.com evilrabbi (Apr 25)