orkut-xss.txt

`Orkut Multiple Cross Site Scripting Vulnerabilities  
  
#####################################################################  
XDisclose Advisory : XD100092  
Vulnerability Discovered: November 18th 2006  
Advisory Released : December 08th 2006  
Credit : Rajesh Sethumadhavan  
Class : Cross Site Scripting  
HTML Injection  
Severity : Medium  
Solution Status : Unpatched  
Vendor : Google Inc  
Vendor Website : http://www.orkut.com  
Affected applications : Orkut Services  
Affected Platform : All  
#####################################################################  
  
Overview:  
Orkut is an Internet social network service run by Google and named  
after its creator, Orkut Büyükkökten. It claims to be designed to  
help users meet new friends and maintain existing relationships with  
pictures and messages, and establish new ones by reaching out to  
people you've never met before.  
  
Orkut service is vulnerable to Cross-Site Scripting and HTML  
Injection. This is caused due to improper validation of user-supplied  
inputs.  
  
Description:  
A remote attacker can craft a GET request with the XSS payload as  
demonstrated below. When the victim clicks on the GET request the  
payload will get executed which result in stealing of cookie, IP info,  
refer info, browser information, clipboard content, operating system  
info, hardware Info, modification of page or html injection, url  
redirection, port scanning of the network, and even phishing is  
possible.  
1)Orkut Invite XSS:  
The flaws are due to improper sanitization of inputs passed to  
'continue' parameter in GET request  
-------------------------------------------------------------------  
http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie)  
------------------------------------------------------------------  
Demonstration:  
Note: Demonstration leads to your personal information disclosure  
- Login to your orkut account  
- Paste the above URL  
- Click on BACK button  
- Orkut Cookies will get displayed  
The similar way HTML injection is also possible.  
Vulnerable Code:  
------------------------------------------------------------------  
<td valign="top">  
<table class="btn" border="0" cellpadding="0" cellspacing="0"  
onmouseover="this.className='btnHover'" onmouseout="this.className  
='btn'">  
<tr style="cursor: pointer;" onclick="window.location='javascript:  
alert(document.cookie)';" id="b0">  
<td><img src="http://images3.orkut.com/img/bl.gif" alt="" /></td>  
<td nowrap style="background: url  
(back'>http://images3.orkut.com/img/bm.gif)">back  
</td>  
------------------------------------------------------------------  
2)Orkut Next page XSS:  
The flaws are due to improper sanitization of inputs passed to 'nid'  
parameter in GET request. This vulnerability is already fixed 2 days  
before  
Get Request with XSS payload:  
------------------------------------------------------------------  
http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785&pageSize  
=&na=3&nst=-2&nid=13550271097807907792-%22};%20alert('Xdisclose');%  
20function%20tt(){//  
------------------------------------------------------------------  
Vulnerable Code:  
------------------------------------------------------------------  
function changePageSize(value) {  
window.location="/Scrapbook.aspx?uid=3595989687719502785&na=  
1&nst=1&nid=13550271097807907792-"}; alert('Xdisclose');  
function tt(){//&pageSize="+value;  
}  
------------------------------------------------------------------  
  
Solution:  
Orkut can improve their filters by disallowing certain characters  
like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.  
  
Screenshot:  
http://www.xdisclose.com/Images/xdorkutinvitexss.jpg  
  
Impact:  
Successful exploitation allows execution of arbitrary script code in  
a user’s browser session in context of an affected site which result  
in stealing of cookie, IP info, refer info, browser information,  
clipboard content, operating system info, Referer info, hardware Info,  
modification of page or html injection (temporary webpage defacement),  
modification of page title, hijacking page flow, url redirection, port  
scanning of the victim’s network, and even phishing is possible.  
Impact of the vulnerability is network level.  
  
Original Advisory:  
http://www.xdisclose.com/XD100092.txt  
  
Credits:  
Rajesh Sethumadhavan has been credited with the discovery of this  
vulnerability  
  
Disclaimer:  
This entire document is strictly for educational, testing and  
demonstrating purpose only. Modification use and/or publishing this  
information is entirely on your own risk. The exploit code is to be  
used on your own orkut account. I am not liable for any direct or   
indirect damages caused as a result of using the information or  
demonstrations provided in any part of this advisory.  
  
  
  
---------------------------------  
Have a burning question? Go to Yahoo! Answers and get answers from real people who know.`