My companys website has a vulnerability

Discuss the many weaknesses of browser security and ways to mitigate the threat

My companys website has a vulnerability

Post by n00bj00b on Sat Jan 05, 2013 12:24 am
([msg=72043]see My companys website has a vulnerability[/msg])

When I went to log in to my companys website I mistyped my login information and was redirected to:

Code: Select all
[company].com/loginform.cfm?loginerror=Your login information is not valid.<br/>Please try again.


The loginerror variable is displayed directly on the page and is not checked for special characters, so this alerted me to a possible vulnerability.

I tried
Code: Select all
/loginform.cfm?loginerror=<script>alert("haxxored");</script>


Which when submitted displayed an alert box, so I know that the site is vulnerable to an XSS attack. However since the site is not running php, something like loginerror=<?php phpinfo() ?> will not work. I am unfamiliar with coldfusion, so I am not sure what other, if any exploits I could make through this vulnerability with coldfusion being the server side language.

I ask because I am insterested in learning whether it is vulnerable to more than just an XSS attack before I notify the admin.
n00bj00b
New User
New User
 
Posts: 2
Joined: Sat Jan 05, 2013 12:00 am
Blog: View Blog (0)


Re: My companys website has a vulnerability

Post by fashizzlepop on Sat Jan 05, 2013 6:37 am
([msg=72046]see Re: My companys website has a vulnerability[/msg])

I don't see a vulnerability as you have no way of making this persistent. Only YOU can see the XSS.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: My companys website has a vulnerability

Post by WallShadow on Sat Jan 05, 2013 10:41 am
([msg=72047]see Re: My companys website has a vulnerability[/msg])

Then perhaps it could be used as a CSRF? just put your script into that variable and encode it. Make a link somewhere, or send someone a link of this page (possibly to the admin of the site) stating that you got this error and want to know how to fix it. They click on the link, and like that, you have backdoor access to their computer.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 601
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: My companys website has a vulnerability

Post by weekend hacker on Sat Jan 05, 2013 9:23 pm
([msg=72052]see Re: My companys website has a vulnerability[/msg])

yeah probably just usefull for xss/csrf although that can be totally usefull for all kinds of things it mainly involved tricking people into going to the vuln page(doing usefull things with that is an art).
But you did mention coldfusion and although I've never played with it it seems to have its own markup language. Although it'd have to be coded very poorly for a language to interpret itself you never know if it can do that.. if it does then depending on the flavour of coldfusion you could have full access to the machine O.O
Code: Select all
<cfexecute name="C:\\winNT\\System32\\netstat.exe" arguments="-e" timeout="4" />

or whatever filepath it may be.. :\
The manual uses this in their example although they also use outputfile but thats an optional param and useless for our goals.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Administrator
Administrator
 
Posts: 192
Joined: Sun Apr 13, 2008 2:39 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: My companys website has a vulnerability

Post by n00bj00b on Sun Jan 06, 2013 12:29 am
([msg=72059]see Re: My companys website has a vulnerability[/msg])

Yeah, my first thought was that I could link a custom script in and email my boss pretending to be a new employee having trouble logging in, and send him a link to the encoded url, and use that to get his credentials. I only have a basic understanding of csrf, so that would be something i'd have to look into to be able to implement. Are there any good docs on csrf that you guys would recommend reading?

I was hoping that by using this I might be able to get access to the server side language and then it'd be game over, but it doesn't seem like i'm that lucky. I tried variations of the <cfexecute /> command, but it was just output as plaintext, so it doesn't look like the server is able to interpret the variable as code. Thanks for the tip on the cfexecute though, I was looking for something like that.

I'll have to dig around on the site some more to see if this vulnerability is on other pages and possibly be able to make the xss persistent.
n00bj00b
New User
New User
 
Posts: 2
Joined: Sat Jan 05, 2013 12:00 am
Blog: View Blog (0)


Re: My companys website has a vulnerability

Post by WallShadow on Sun Jan 06, 2013 1:02 am
([msg=72060]see Re: My companys website has a vulnerability[/msg])

n00bj00b wrote:Are there any good docs on csrf that you guys would recommend reading?


As far as I know, there are many different ways to use CSRF and there really aren't many good docs on it as it's not that old of a technique. The most basic idea behind a CSRF is to use someone's or somethings trust for something else to execute malicious code.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 601
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests