Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Audiogalaxy again (Cross Site Scripting Vuln)
From: John Scimone <jscimone () cc gatech edu>
Date: Wed, 28 Nov 2001 16:51:21 -0500

I just took a 2 second look at audiogalaxy for other ways to get this
plaintext cookie and realized that they probably have numerous cross site
scripting problems being such a dynamic site.  Some parsing appears to be
done on user input however this user search script looks partially vulnerable
so you don't have to worry about IE bugs and can grab linux user's names and
passwords also.  I'm sure there are others just by looking at their site
layout but I don't have the time to mess with it.

Ex:
http://www.audiogalaxy.com/user/userSearch.php?SID=34b1859xxxxx0da9ff0cbxxxxx
&userSearch=foo%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C
%22bar&searchOption=exact

Like Michael stated in an earlier bugtraq post users should chose their
passwords wisely and not use the same password for hotmail and mp3 sharing
sites as they do to pay their bills online.

John Scimone
CS Major @ Ga Tech

On Tuesday 27 November 2001 11:04 am, you wrote:
Well I will keep this to the point.
Nudehackers.com is down so forgive me for sending from my mailing list
acct.


Sometime ago I released a statement about Audiogalaxy keeping usernames and
passwords in clear text in a file on the users system.  Well, shortly after
that they fixed it, or so it seemed.  I notified the good people over at
Audiogalaxy about this months ago and I see nothing has changed.
Audiogalaxy has started storing username and passwords in cookie.  A sample
cookie entry looks like this:

cookieUsername
USERNAMEHERE
audiogalaxy.com/
0
367281152
29529638
3457234544
29456211
*
cookiePassword
CLEARTEXTPASSHERE
audiogalaxy.com

  Well the obivous problem is that someone exploiting the recent IE bug and
stealing cookies could get the cookie and thus have the username and
password.  Now before the arguement was that nothing destructive could be
done with this information and my comments didnt all make it to bugtraq.
Well, here is what someone might do.  Steal the username/password, using
audiogalaxy software set an mp3 for download that the attacker has wrapped
with a trjoan, oh say BO2K.  Now, the arguement was that the file would
have a .mp3 extension and thus bo2k would not work, THIS IS WRONG.  Back
orifice does not have to have a .exe entension thus whent he victim ran the
mp3 to enjoy the music they would be infected.

To conclude this should be fixed.

Special "shout outs" to michael over at audiogalaxy. :)

altomo
Nudehackers.com

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

-------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: Audiogalaxy again (Cross Site Scripting Vuln) John Scimone (Nov 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]