Home page logo

fulldisclosure logo Full Disclosure mailing list archives

PLAXO: is that a cure or a disease?
From: "http-equiv () excite com" <1 () malware com>
Date: Fri, 12 Mar 2004 17:54:15 -0000

Friday, March 12, 2004

Having a firm belief in unnecessary gadgetry, we recently sent 
our most senior colleague Liu Die Yu a request to update his 
contact information via our plaxo device 
[http://www.plaxo.com/]. Checking back several hours later in 
our plaxo web account we eagerly selected his "card" to see what 
that update might be.


<input type="hidden" name="SetReplied" value="">
<input type="hidden" name="perm" value="1">
<input type="hidden" name="saveChanges" value="1">
<input type="hidden" name="close" value="0">
<input type="hidden" name="Biz.FullName" value="fatcat">
<input type="hidden" name="Biz.Title" value=""><iframe 
<input type="hidden" name="Biz.Email1" 
value="fatcat () bloatedcorp com">
<input type="hidden" name="Biz.Email2"  value="">
<input type="hidden" name="Biz.Email3"  value="">
<input type="hidden" name="Biz.IM"  value="">
<input type="hidden" name="Biz.WebPage"  value="">

He had taken our entire contact list for a joyride supreme.

Trivial arbitrary code injection into the plaxo user web 
account. While it does a good job of attempting to defeat this, 
simple input in the recipient request for update field of  "JOB 
TITLE", gives a real jobbing:

"><iframe src=http://www.bloatedcorp.com>

Needless to say should you receive one of these irritating 
little requests, you'll now know what to do.

End Call


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • PLAXO: is that a cure or a disease? http-equiv () excite com (Mar 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]