XSS: Ning.com Persistent XSS
Just a notice, as this will probably be fixed in a short amount of time - I can add persistent XSS to the group page. I first noticed this yesterday when I was fooling around with URL XSS attempts, and then followed up with form injections. The hole is in the group "url" field, and is easily exploited, although I haven't tested for form length (I assume there is no limitation, if so then a simple link to an external file is sufficient to get around this). This was again noticed by .Mario (of sla.ckers and gnucitizen.org) sometime today during his tests on the site, and he has a PoC group page up for disclosure in case anyone doesn't understand what I mean. There are still more holes in the site, but persistent XSS is always fun ;) Luckily for us, ning actually respond rather quickly to disclosure, and as such we should be able to get this web portal locked down and secure within the next week or so - they're getting free security tips, and we're getting a free community portal. Hmm, can we write apps for ning? There's plenty of stuff I would like to add to this system.
Post your XSS finds for ning.com here, and I'll forward them onto the ning security team. Don't forget you can use subdomains too if they're applicable. If for SOME reason an SQL hole is lying around, I'd prefer you disclose it to ning yourself - leaving it out in the open on a public forum isn't desirable :)
Edit: I've used this hole to hack our group page - it looks pretty now ;) (no javascript involved, I'm not hacking you!)
--------------------------------
User submitted XSS List:
--------------------------------
Blog Post by Wildcat on multiple XSS vulns & their status.
Group Page by Sam Aldis that uses Javascript CSRF to submit a message form to PDP.
PoC by Sam Aldis - reflective XSS.
Post by Fragge.
Post your XSS finds for ning.com here, and I'll forward them onto the ning security team. Don't forget you can use subdomains too if they're applicable. If for SOME reason an SQL hole is lying around, I'd prefer you disclose it to ning yourself - leaving it out in the open on a public forum isn't desirable :)
Edit: I've used this hole to hack our group page - it looks pretty now ;) (no javascript involved, I'm not hacking you!)
--------------------------------
User submitted XSS List:
--------------------------------
Blog Post by Wildcat on multiple XSS vulns & their status.
Group Page by Sam Aldis that uses Javascript CSRF to submit a message form to PDP.
PoC by Sam Aldis - reflective XSS.
Post by Fragge.
Replies to This Discussion
-
Permalink Reply by fragge on -
Cheers, I will link to your blog post in the original thread. We over at sla.ckers.org will continue to pentest ning until it's completely patched :)
-
Permalink Reply by Sam Aldis on -
was going to wait untill pdp looked at the darkstar group
and change the front page because i created an auto submit form
that uses CSRF but thats probably a bit harsh :/
anyways you can see the XSS in action here
-
Permalink Reply by fragge on
-
:P you should probably change that to the XSS in the "tags" field of a blog as a PoC, otherwise you'll get people to your group page who get CSRF. Funny though, was actually planning to edit mario's PoC page for him to change your account details :< but yeah, I thought it would be too harsh an action and thus just played with the HTML on my page ^^
Cheers
-
Permalink Reply by Sam Aldis on
-
if anyone wants it here is the required
inputs on the form to change the front page..
<form id="profile_form" method="post" enctype="multipart/form-data" action="http://houseofhackers.ning.com/main/admin/appProfile"><input type="hidden" name="successTarget"/><input type="hidden" name="oldAppName" value="darkstar" /><input type="text" name="name" value="darkstar" id="profile_app_name" class="textfield large required" size="40" maxlength="64"/><input type="text" name="tagline" value="DarkStar" id="profile_app_tagline" class="textfield large" size="40" maxlength="80"/><textarea name="description" id="profile_app_description" cols="38" rows="5">Hmm This is just a PoC.</textarea><input type="text" name="tags" value="hacking, it, security, programming, underground" id="profile_app_tags" class="textfield" size="40"/><select name="locale" id="profile_app_language"><option value="en_GB" selected="selected">English (British)</option></select></form>
i wouldn't suggest doing it though because it
is kinda obvious who did it.
-
Permalink Reply by Sam Aldis on
-
needed to use replace the < & >'s
because i forgot that these forms accept html
-
Permalink Reply by fragge on
-
gotcha, and of course I'm not going to autosubmit forms through CSRF :P if I'd wanted to, I would have by now (can you say XSS worm) :D in fact, I'm fairly sure I could write up a quick worm for blog posts and one for groups right now.. but this is our portal and I'd prefer not to deface it, maybe I make them as a PoC before the holes are patched? :<</body>
About
© 2009 Created by pdp on Ning. Create Your Own Social Network
