haha.. classic...<br><br><div><span class="gmail_quote">On 4/25/07, <b class="gmail_sendername">Pedro Martinez</b> <<a href="mailto:sassycophants@cyberdude.com">sassycophants@cyberdude.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
A shocking, disturbing and horrifying expose on<br> ____ __ _ ___ ___ __<br> / __/__ __ _ ___ / /_(_)__ ___ _ / _ |_ __/ _/_ __/ /<br> _\ \/ _ \/ ' \/ -_) __/ / _ \/ _ `/ / __ | |/|/ / _/ // / /
<br> /___/\___/_/_/_/\__/\__/_/_//_/\_, / /_/ |_|__,__/_/ \_,_/_/<br> /___/ This edition: Radium's unforgivable sins<br><br>This report is brought to you by: Buttes. What have you had in your butte today?
<br>--------------------------------------------------------------------------------<br><br>BACKGROUND:<br>Meet Radium. Seemingly a typical user handle for a forum. Convenient to hide<br>behind, and creative compared to "DiQuELiCkUr69" or similar popular forum
<br>handles.<br><br>This is the handle of Kenneth Stumpf, the administrator of Something Awful.<br>Those who follow Something Awful's drama are well aware that he was recently<br>"fired" from his position as an administrator at Something Awful. This has been
<br>debunked as a blatant lie on the part of the administration team, not totally<br>unexpectedly, since any sane human being realizes that Richard "Lowtax" Kyanka<br>is a compulsive liar and crook.<br><br>In light of these recent developments it was thought prudent to disclose a very
<br>disturbing XSS exploit found in SomethingAwful's "Secure" ordering system.<br>Every "goon" (derrogatory nickname for a SomethingAwful user) must use this very<br>broken and insecure system to perform their day-to-day transactions on the
<br>website, such as registering an acccount (at a cost of $10), purchasing an<br>avatar image (an additional $10), purchasing the ability to search for previous<br>posts (an additional $10), purchasing an emoticon (an additional $35) or
<br>when purchasing a banner ad (usually at $10 per ad, depending on the purpose).<br><br>DESCRIPTION:<br>Unchecked string in <a href="https://secure.somethingawful.com">https://secure.somethingawful.com</a><br><br>EXPLOIT:
<br>1. Go to <a href="https://secure.somethingawful.com/forumsystem/index.php?item=donate">https://secure.somethingawful.com/forumsystem/index.php?item=donate</a><br>2. Enter anything for a username and a legitimate-looking email address.
<br>3. Enter <script>alert(document.cookie);</script> in the Donate field.<br><br>RESULT:<br>Session cookie for any user for SomethingAwful.com. This allows for a trivial<br>session hijack.<br><br>CAUSE:<br>Recently, in his infinite brilliance and vastly superior knowledge of website
<br>security and web design, Kenneth decided to change all cookies for users of<br>the website to be for the domain *.somethingawful.com. This means that forum<br>session cookies are now available to any subdomain of <a href="http://somethingawful.com">
somethingawful.com</a>.<br>Presumably this was done out of sheer laziness, with no consideration for the<br>possible threat to security.<br><br>KEYWORDS: Something Awful, SomethingAwful, XSS, Radium, Identity Theft,<br> Incompetence, Goons, Failure, Idiocy
<br><br>E-PROPS TO: SASS: The Something Awful Sycophant Squad (<a href="http://sass.buttes.org">http://sass.buttes.org</a>)<br> for finding this.<br><br>REFERENCE: <a href="http://sass.buttes.org/forum/viewtopic.php?id=523">
http://sass.buttes.org/forum/viewtopic.php?id=523</a> (free registration<br> required).<br><br><br>=<br>Industrial Power Products<br>Industrial batteries and chargers for forklifts - parts, accessories, safety items, and handling equipment.
<br><a href="http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=fb7d9bc44fd159097c65a6251bd721df">http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=fb7d9bc44fd159097c65a6251bd721df</a><br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">
http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br>-- h0 h0 h0 --<br><a href="http://www.nopsled.net">www.nopsled.net</a>