orkut-xss.txt
Posted on 09 December 2006
Orkut Multiple Cross Site Scripting Vulnerabilities ##################################################################### XDisclose Advisory : XD100092 Vulnerability Discovered: November 18th 2006 Advisory Released : December 08th 2006 Credit : Rajesh Sethumadhavan Class : Cross Site Scripting HTML Injection Severity : Medium Solution Status : Unpatched Vendor : Google Inc Vendor Website : http://www.orkut.com Affected applications : Orkut Services Affected Platform : All ##################################################################### Overview: Orkut is an Internet social network service run by Google and named after its creator, Orkut Büyükkökten. It claims to be designed to help users meet new friends and maintain existing relationships with pictures and messages, and establish new ones by reaching out to people you've never met before. Orkut service is vulnerable to Cross-Site Scripting and HTML Injection. This is caused due to improper validation of user-supplied inputs. Description: A remote attacker can craft a GET request with the XSS payload as demonstrated below. When the victim clicks on the GET request the payload will get executed which result in stealing of cookie, IP info, refer info, browser information, clipboard content, operating system info, hardware Info, modification of page or html injection, url redirection, port scanning of the network, and even phishing is possible. 1)Orkut Invite XSS: The flaws are due to improper sanitization of inputs passed to 'continue' parameter in GET request ------------------------------------------------------------------- http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie) ------------------------------------------------------------------ Demonstration: Note: Demonstration leads to your personal information disclosure - Login to your orkut account - Paste the above URL - Click on BACK button - Orkut Cookies will get displayed The similar way HTML injection is also possible. Vulnerable Code: ------------------------------------------------------------------ <td valign="top"> <table class="btn" border="0" cellpadding="0" cellspacing="0" onmouseover="this.className='btnHover'" onmouseout="this.className ='btn'"> <tr style="cursor: pointer;" onclick="window.location='javascript: alert(document.cookie)';" id="b0"> <td><img src="http://images3.orkut.com/img/bl.gif" alt="" /></td> <td nowrap style="background: url (back'>http://images3.orkut.com/img/bm.gif)">back </td> ------------------------------------------------------------------ 2)Orkut Next page XSS: The flaws are due to improper sanitization of inputs passed to 'nid' parameter in GET request. This vulnerability is already fixed 2 days before Get Request with XSS payload: ------------------------------------------------------------------ http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785&pageSize =&na=3&nst=-2&nid=13550271097807907792-%22};%20alert('Xdisclose');% 20function%20tt(){// ------------------------------------------------------------------ Vulnerable Code: ------------------------------------------------------------------ function changePageSize(value) { window.location="/Scrapbook.aspx?uid=3595989687719502785&na= 1&nst=1&nid=13550271097807907792-"}; alert('Xdisclose'); function tt(){//&pageSize="+value; } ------------------------------------------------------------------ Solution: Orkut can improve their filters by disallowing certain characters like " <>/?&`~!@#$%^*()[]|;:"' " in user input URL. Screenshot: http://www.xdisclose.com/Images/xdorkutinvitexss.jpg Impact: Successful exploitation allows execution of arbitrary script code in a user
