Orkut Group Cross Site Scripting Vulnerability<br><br>#####################################################################<br><br>XDisclose Advisory : XD100098<br>Vulnerability Discovered: December 08th 2006<br>Advisory Released : December 12th 2006<br>Credit : Rajesh Sethumadhavan<br>Class : Cross Site Scripting<br> HTML
Injection<br>Severity : Medium<br>Solution Status : Unpatched/Vendor notified<br>Vendor : Google Inc<br>Vendor Website : http://www.orkut.com<br>Affected applications : Orkut Services<br>Affected Platform : All<br><br>#####################################################################<br><br><br>Overview:<br>Orkut is an Internet social network service run by Google with more<br>than 37 million total members and nearly 1.3 million daily visitors.<br>It claims to be designed to help users meet new friends and maintain<br>existing relationships with
pictures and messages, and establish new<br>ones by reaching out to people you've never met before.<br><br>Orkut service is vulnerable to Cross-Site Scripting and HTML Injection.<br>This is caused due to improper validation of user-supplied inputs.<br><br><br>Description:<br>A remote attacker can craft a GET request with the XSS payload as<br>demonstrated below. When the victim access the mailcious URL payload<br>will get executed which result in stealing of cookie, IP info, refer<br>info, browser information, clipboard content, operating system info,<br>hardware Info, modification of page or html injection, url redirection,<br>port scanning of the network, and even phishing is possible.<br><br>1)Orkut Invite XSS:<br><br> The flaws are due to improper sanitization of inputs passed to<br> 'show' parameter in GET request<br> -------------------------------------------------------------------<br>
http://www.orkut.com/Friends.aspx?show=group1);alert(document.cookie<br> ------------------------------------------------------------------<br><br>Demonstration:<br>Note: Demonstration leads to your personal information disclosure<br><br>- Login to your orkut account<br>- Paste the above URL<br>- Click on 'delete group' & 'ok' button<br>- Orkut Cookies will get displayed<br><br> The similar way HTML injection is also possible.<br><br> Vulnerable Code:<br> ------------------------------------------------------------------<br><br> < a href="javascript:handleDeleteGroup('', 1);alert(document.cookie);"><br><br> ------------------------------------------------------------------<br><br><br>Solution:<br>Orkut can improve their filters by disallowing certain characters<br>like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.<br><br><br>Screenshot:<br>http://xdisclose/images/xdorkutgroupxss.jpg<br><br><br>Impact:<br>Successful
exploitation allows execution of arbitrary script code in<br>a user’s browser session in context of an affected site which result<br>in stealing of cookie, IP info, refer info, browser information,<br>clipboard content, operating system info, referrer info, hardware Info,<br>modification of page or html injection (temporary webpage defacement),<br>modification of page title, hijacking page flow, url redirection, port<br>scanning of the victim’s network, and even phishing is possible.<br><br>Impact of the vulnerability is network level.<br><br><br>Original Advisory:<br>http://www.xdisclose.com/XD100098.txt<br><br><br>Credits:<br>Rajesh Sethumadhavan has been credited with the discovery of this<br>vulnerability<br><br><br>Disclaimer:<br>This entire document is strictly for educational, testing and<br>demonstrating purpose only. Modification use and/or publishing this<br>information is entirely on your own risk. The exploit code is to be<br>used on your own orkut account. I
am not liable for any direct or<br>indirect damages caused as a result of using the information or<br>demonstrations provided in any part of this advisory.<p> 
<hr size=1>Have a burning question? Go to <a href="http://answers.yahoo.com/;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx">Yahoo! Answers</a> and get answers from real people who know.