Do Comment and I shall comment back. Your contributions are always welcome at emailadimn@gmail.com.
Nepali Security Community Accessible at NepSecure Google Groups

Wednesday, September 19, 2007

CyberSansar website Vulnerable to Cross Site Scripting (XSS) (Moderate hack)

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Information
CyberSansar is one of the most visited websites in Nepal. Its popularity is due to its content which includes pictures of hot models. I haven't heard of another website with so many pictures of hot Nepali Females and in my guess, this website is a major attraction to a lot of Nepali males :-)

Level of Vulnerability 3/5

Review Of CyberSansar Website
Most of the webpages seem to take no arguments at all and strangely each link points to a specific named php file. All artists had artistname.php or Event informations were in event.php format.

This means the guys at CyberSansar must have a hell of a time managing all those .php files. My guess is that they have a centralized theming system and all pages use that theme.

To execute XSS, i had to find a page taking arguements. The download page was where i found it.
http://www.cybersansar.com/music/videos/music_videos.php and click on any picture takes you to say
http://www.cybersansar.com/music/videos/video.php?id=drabyaz_dherailamo#download

Cross Site Scripting (XSS) in Detail
http://www.cybersansar.com/music/videos/video.php?id=drabyaz_dherailamo#download is interesting url. I can just change the text after ?id= in video.php?id=drabyaz_dherailamo#download to anything else, say xyz
http://www.cybersansar.com/music/videos/video.php?id=xyz
ok this time what you get is a small picture not found image like this

looking at the source what you can see is


that means whatever you type after video.php?id= gets added to the url and so the url is changed, humm good
if you test with characters like (", <,>,/, ...) all bypass any kind of string escaping. Not good at all. Someone forgot to check the security.

A simple ur like
http://www.cybersansar.com/music/videos/download_events_programs.php?id="> <script>alert("hello");</script>
will give you an alert message, humm scripts execute successfully.

To display some another webpage, its pretty simple just include a iframe like this
url starts from here ----------------------
http://www.cybersansar.com/music/videos/download_events_programs.php?id="><iframe src="http://www.google.com" height="400" width="500"><
url ends from here ---------------------
will give you this


Cool huh?? but how do i deface CyberSansar?
Actually you cannot do server damages using XSS, AFAIK

How can this be misused?
There are tons of articles explaining the misuse ofXSS, so please read them.

Some of the misuses i can think of are
  • Inclusion of java scripts from third party websites means a lot of thing. the whole DOM is under control of the javascript, that means, a malformed url can change the look of the website.
  • Since CyberSansar is very popular, anyone can just create a page, add pictures of herself/himself and advertise as a model of cybersansar.
  • the google webpage is just an example, what if someone shows a porn site and tries to defame CyberSansar
  • Include a fake phishing page with a username and password field saying "Insert your hotmail username/password here and we will send your frields a special something", humm interesting.
Lots of other misuses can be done, XSS is dangerous, specially with old versions of IE or vulnerable browsers.

How to remove the XSS vulnerability in CyberSansar??
pretty simple, escape the passed id by using htmlspecialchars() function in php, very simple :-)

$id = htmlspecialchars($_GET['id']);

single line can work wonders. :-)

The admin of http://www.cybersansar.com has been emailed about this.
SO don't be surprised if this didn't work.

XSS Cheat Sheet at http://ha.ckers.org/xss.html
big thanks to them.

6 comments:

Unknown said...

i really liked it.. great information.. it worked...

thanks for the tutorial.. and thank you for making the cybersansar people aware of this problem..

hope to read more of such tutorial..

Prakash said...

cybersansar.com is leaving the most informative resources for php on the wlink server. http://www.cybersansar.com/phpinfo.php, you can see most of the used software on the server is outdated which leads on server hacking. And important thing is that leaving phpinfo() openly is very unsecure.

junkeebro said...

Does anybody knows how to download multiple photoes of cybersansar at once?

junkeebro said...

Does anybody knows how to download all the photoes of cybersansar at one downloading. Have mercy.......

musicbid.co.cc said...

Really surprised to see this Cybensar le नेपाली केटि ko pics halda haldai security banauna sakena cha.

Unknown said...

Cybersansar ni hacked.waa
Hack Facebook vanne yo site cha kaam nai garena.