<div>Orkut Multiple Cross Site Scripting Vulnerabilities</div> <div> </div> <div>#####################################################################</div> <div>XDisclose Advisory : XD100092<BR>Vulnerability Discovered: November 18th 2006<BR>Advisory Released : December 08th 2006<BR>Credit : Rajesh Sethumadhavan</div> <div>Class : Cross Site Scripting<BR> HTML
Injection<BR>Severity : Medium<BR>Solution Status : Unpatched<BR>Vendor : Google Inc<BR>Vendor Website : <A href="http://www.orkut.com">http://www.orkut.com</A><BR>Affected applications : Orkut Services<BR>Affected Platform : All</div> <div>#####################################################################</div> <div><BR>Overview:<BR>Orkut is an Internet social network service run by Google and named<BR>after its creator, Orkut Büyükkökten. It claims to be designed to<BR>help users meet new friends and maintain
existing relationships with<BR>pictures and messages, and establish new ones by reaching out to<BR>people you've never met before.</div> <div> </div> <div>Orkut service is vulnerable to Cross-Site Scripting and HTML<BR>Injection. This is caused due to improper validation of user-supplied<BR>inputs.</div> <div><BR>Description:<BR>A remote attacker can craft a GET request with the XSS payload as<BR>demonstrated below. When the victim clicks on the GET request the<BR>payload will get executed which result in stealing of cookie, IP info,<BR>refer info, browser information, clipboard content, operating system<BR>info, hardware Info, modification of page or html injection, url<BR>redirection, port scanning of the network, and even phishing is<BR>possible.</div> <div>1)Orkut Invite XSS:</div> <div> The flaws are due to improper sanitization of inputs passed to<BR> 'continue' parameter in GET request<BR>
-------------------------------------------------------------------<BR> <A href="http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie">http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie</A>)<BR> ------------------------------------------------------------------</div> <div>Demonstration:<BR>Note: Demonstration leads to your personal information disclosure</div> <div>- Login to your orkut account<BR>- Paste the above URL<BR>- Click on BACK button<BR>- Orkut Cookies will get displayed</div> <div> The similar way HTML injection is also possible.</div> <div> Vulnerable Code:<BR> ------------------------------------------------------------------</div> <div> <td valign="top"><BR> <table class="btn" border="0" cellpadding="0" cellspacing="0"<BR> onmouseover="this.className='btnHover'" onmouseout="this.className<BR> ='btn'"><BR> <tr style="cursor: pointer;"
onclick="window.location='javascript:<BR> alert(document.cookie)';" id="b0"><BR> <td><img src="<A href="http://images3.orkut.com/img/bl.gif">http://images3.orkut.com/img/bl.gif</A>" alt="" /></td><BR> <td nowrap style="background: url<BR> (<A href='http://images3.orkut.com/img/bm.gif)">back'>http://images3.orkut.com/img/bm.gif)">back</A><BR> </td></div> <div> ------------------------------------------------------------------</div> <div>2)Orkut Next page XSS:</div> <div> The flaws are due to improper sanitization of inputs passed to 'nid'<BR> parameter in GET request. This vulnerability is already fixed 2 days<BR> before<BR> Get Request with XSS payload:<BR> ------------------------------------------------------------------<BR> <A
href="http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785&pageSize">http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785&pageSize</A><BR> =&na=3&nst=-2&nid=13550271097807907792-%22};%20alert('Xdisclose');%<BR> 20function%20tt(){//<BR> ------------------------------------------------------------------</div> <div> Vulnerable Code:<BR> ------------------------------------------------------------------</div> <div> function changePageSize(value) {<BR> window.location="/Scrapbook.aspx?uid=3595989687719502785&na=<BR> 1&nst=1&nid=13550271097807907792-"}; alert('Xdisclose');<BR> function tt(){//&pageSize="+value;<BR> }</div> <div> ------------------------------------------------------------------</div> <div><BR>Solution:<BR>Orkut can improve their filters by disallowing certain characters<BR>like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.</div>
<div><BR>Screenshot:<BR><A href="http://www.xdisclose.com/Images/xdorkutinvitexss.jpg">http://www.xdisclose.com/Images/xdorkutinvitexss.jpg</A></div> <div><BR>Impact:<BR>Successful exploitation allows execution of arbitrary script code in<BR>a user’s browser session in context of an affected site which result<BR>in stealing of cookie, IP info, refer info, browser information,<BR>clipboard content, operating system info, Referer info, hardware Info,<BR>modification of page or html injection (temporary webpage defacement),<BR>modification of page title, hijacking page flow, url redirection, port<BR>scanning of the victim’s network, and even phishing is possible.</div> <div>Impact of the vulnerability is network level.</div> <div><BR>Original Advisory:<BR><A href="http://www.xdisclose.com/XD100092.txt">http://www.xdisclose.com/XD100092.txt</A></div> <div><BR>Credits:<BR>Rajesh Sethumadhavan has been credited with the discovery of this<BR>vulnerability</div>
<div><BR>Disclaimer:<BR>This entire document is strictly for educational, testing and<BR>demonstrating purpose only. Modification use and/or publishing this<BR>information is entirely on your own risk. The exploit code is to be<BR>used on your own orkut account. I am not liable for any direct or <BR>indirect damages caused as a result of using the information or<BR>demonstrations provided in any part of this advisory.<BR></div><p> 
<hr size=1>Everyone is raving about <a href="http://us.rd.yahoo.com/evt=42297/*http://advision.webevents.yahoo.com/mailbeta">the all-new Yahoo! Mail beta.</a>