XD100098.txt

`Orkut Group Cross Site Scripting Vulnerability  
  
#####################################################################  
  
XDisclose Advisory : XD100098  
Vulnerability Discovered: November 08th 2006  
Advisory Released : December 11th 2006  
Credit : Rajesh Sethumadhavan  
  
Class : Cross Site Scripting  
HTML Injection  
Severity : Medium  
Solution Status : Unpatched  
Vendor : Google Inc  
Vendor Website : http://www.orkut.com  
Affected applications : Orkut Services  
Affected Platform : All  
  
#####################################################################  
  
  
Overview:  
Orkut is an Internet social network service run by Google with more  
than 37 million total members and nearly 1.3 million daily visitors.  
It claims to be designed to help users meet new friends and maintain  
existing relationships with pictures and messages, and establish new  
ones by reaching out to people you've never met before.  
  
Orkut service is vulnerable to Cross-Site Scripting and HTML Injection.  
This is caused due to improper validation of user-supplied inputs.  
  
  
Description:  
A remote attacker can craft a GET request with the XSS payload as  
demonstrated below. When the victim access the mailcious URL payload  
will get executed which result in stealing of cookie, IP info, refer  
info, browser information, clipboard content, operating system info,  
hardware Info, modification of page or html injection, url redirection,  
port scanning of the network, and even phishing is possible.  
  
1)Orkut Invite XSS:  
  
The flaws are due to improper sanitization of inputs passed to  
'show' parameter in GET request  
-------------------------------------------------------------------  
http://www.orkut.com/Friends.aspx?show=group1);alert(document.cookie  
------------------------------------------------------------------  
  
Demonstration:  
Note: Demonstration leads to your personal information disclosure  
  
- Login to your orkut account  
- Paste the above URL  
- Click on 'delete group' & 'ok' button  
- Orkut Cookies will get displayed  
  
The similar way HTML injection is also possible.  
  
Vulnerable Code:  
------------------------------------------------------------------  
  
< a href="javascript:handleDeleteGroup('', 1);alert(document.cookie);">  
  
------------------------------------------------------------------  
  
  
Solution:  
Orkut can improve their filters by disallowing certain characters  
like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.  
  
  
Screenshot:  
http://xdisclose/images/xdorkutgroupxss.jpg  
  
  
Impact:  
Successful exploitation allows execution of arbitrary script code in  
a user’s browser session in context of an affected site which result  
in stealing of cookie, IP info, refer info, browser information,  
clipboard content, operating system info, referrer info, hardware Info,  
modification of page or html injection (temporary webpage defacement),  
modification of page title, hijacking page flow, url redirection, port  
scanning of the victim’s network, and even phishing is possible.  
  
Impact of the vulnerability is network level.  
  
  
Original Advisory:  
http://www.xdisclose.com/XD100098.txt  
  
  
Credits:  
Rajesh Sethumadhavan has been credited with the discovery of this  
vulnerability  
  
  
Disclaimer:  
This entire document is strictly for educational, testing and  
demonstrating purpose only. Modification use and/or publishing this  
information is entirely on your own risk. The exploit code is to be  
used on your own orkut account. I am not liable for any direct or  
indirect damages caused as a result of using the information or  
demonstrations provided in any part of this advisory.  
  
---------------------------------  
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.`