Many critical XSS vulnerabilities have been discovered today by XSS WORM readers.
It is not clear if these XSS vulnerability are being exploited by blackhat hackers or blackhat SEO optimizers online.
If you have find any new XSS exploits please post them here to XSS WORM.
In this video tutorial we show you how to do basic cross site scripting attacks against a vbulletin forum. This tutorial shows the basics of cookie stealing, javascript injection and forum hacking.
“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now.”
http://en.wikipedia.org/wiki/Password_Cracking
“Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a “rainbow table” – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.”
“But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:
wordpresspass_<MD5(url)>=MD5(user_pass)
Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.”
http://en.wikipedia.org/wiki/HTTP_cookie
“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system.”
This attack is very dangerous 0day for wordpress 2.3, and it only requires the hacker to compromise adminitrator access to wordpress using another more serious hole, and then instead of using admin access or creating new users or modifying user or backdoor into wordpress, he can take encrypted md5 from hacked database and gain access as a user to the wordpress he has previously hacked. All user are encouraged for upgrades. See more:
Sources:
http://heise-security.co.uk/ - Security and Internet Security Expert Consultants.
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
While Web 2.0 applications might be all the rage for developers and increasingly important in the enterprise, security experts warn they represent a serious threat — a fact that won’t change until businesses start demanding greater protections.
That was the theme at the New New Internet conference here yesterday, where a panel of security experts told audience members that Web 2.0 application developers lack tools to secure their applications, creating a problem unlikely to be fixed without greater prompting by IT management.
“Beat up on your vendors and your own developers,” said Steve Orrin, director of security solutions for Intel Corp. “Look for and ask for security features in your applications. Until you start asking, they aren’t going to see it as a requirement.”
Much of the issue stems from the fact that underlying technologies being used in new Web applications and Web services were never properly secured to begin with, panelists said.
“We’ve already moved on and started to look at Web 2.0 technology, when Web 1.0 wasn’t secure yet,” Orrin said.
“By networking with code-writing peers and hearing lectures by security experts”, he said, “hackers can gather the truth: information necessary to build safer systems and to push for better security.”
“Cross-Site Scripting is much more powerful when used in a Web 2.0 environment”
“What we’re seeing is advanced uses of the same sorts of attacks that were used before.” Cross-site scripting, for example, is “much more powerful” when used in a Web 2.0 environment, he suggested. “As powerful a tool as Web 2.0 technology is for developers and users, it’s even more so for attackers.”
That’s especially true of things like phishing attacks, Orrin said.
“It’s become a lot easier to trick users with Web 2.0 — the automation is to the point where the user doesn’t even have to be involved for the attack to occur.”
Hart Rossman, chief security technologist at research and engineering giant Science Applications International Corporation (SAIC), agreed. He pointed to the difficulties that security professionals face in checking some Web 2.0 applications for vulnerabilities. “AJAX is the weapon of choice for sex appeal, but current vulnerability assessment tools have trouble traversing AJAX sites, and it’s harder to find the vulnerabilities,” Rossman said. “You can’t recreate sessions as easily, so if something happens, it’s very difficult to create the forensics to analyze it.”
“AJAX is the weapon of choice for sex appeal.”
Rossman added that the rise of the use of widgets and other outside components on sites raises the specter of people using “Web 2.0 on top of Web 2.0″ to mount large cross-network attacks.
Experts such as Rossman are currently focusing their efforts on determining a suitably-scary-sounding name for these new and unprotected (and potentially devestating to your E-business) Web 2.0 on top of Web 2.0 attack worms.
“People tend not to trust the mash-up developer.. they trust the API provider. There’s very little thought given to the mash-up, or the mash-up on top of the mash-up.”
News Link : http://www.internetnews.com/dev-news/article.php/3708876
Title of XSS Vulnerability: [waraxe-2007-SA#059] - XSS in WordPress 2.3
Credit of XSS Discovery: Janek Vind “waraxe”
XSS Discovery Date: 27. October 2007
XSS Discovery Location: Estonia, Tartu
Web address for XSS security alert: http://www.waraxe.us/advisory-59.html
Description of XSS Exploit:
WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability, at expense of security.
To run WordPress your host just needs a couple of things:
PHP version 4.2 or greater
MySQL version 4.0 or greater
Technical XSS Information: Cross-Site Scripting (XSS) in “edit-post-rows.php”
WARAXE Writes: Let’s take have a look inside “/wp-admin/edit-post-rows.php”:
[start of section of source code with XSS exploit for wordpress]
<?php foreach($posts_columns as $column_display_name) { ?>
<th scope=”col”><?php echo $column_display_name; ?></th>
<?php } ?>
[end of vulnerable source code section]
As we can see, array “posts_columns” is uninitialized and if we execute this php script directly, then arbitrary value for that variable can be delivered. This means, that reflective XSS exists here.
And of course register_globals must be on for this “exploit” to be successful.
XSS Proof of concept worm:
http://victim.com/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(123);</script>
The information above has been provided by the website of WARAXE.US
A cross site scripting vulnerability is discovered in the website for AIM at http://aim.com and it is the subject of the following hacking demonstration video.
A malicious user has abilities to edit the URL address of the real AIM site to permit his own characters to be injected into the browser of a not malicious victim. It is with these characters that the malicious user is able to cause damage to the friendly user by means of scripting attacks from another website also known as Cross Site Scripting.
The AIM XSS Vulnerability is still active and can be exploited by every malicious user at the time of todays updates.
Demonstration: http://www.aim.com/remote/step1.adp?aolp=”><h1><a href=”//xssworm.com”>xss worm</a></h1>
milw0rm Hacker Lifestyle