OSChina XSS 漏洞发现 | OSChina XSS Vulnerability

好吧,最近着迷XSS问题了,国产软件XSS漏洞真多。闲得无聊之中,上OSChina准备发日志,后来发现日志允许插入音乐,而音乐的地址是嵌入在一段JS里面的。想到了没有?XSS可能性啊! 于是这是KnH.C 发现的第二个XSS 0day漏洞了。

It has just been discovered that OSChina.net has a potential XSS exploit hole, users may introduce code not originally inside the website JS. Although users may not add code to their liking, the hole is fairly wide as it allows arbitary but limited length JavaScript injection. Using the DOM model, it is possible to inject HTML code as well. All browsers are affected.

以下是漏洞报告 / Below is a full disclosure of the bug :

Continue reading →

人人网 好友真相 漏洞通告 | Renren App XSS Vulnerability Report


以下存档:今天在许多人的“被动推荐”下,我启动了人人的称作 好友真相的 插件。出于好奇,看了看页面源代码,着实让我胆战心惊。现在发布这个文章来通告一下人人的用户,如果您还在使用这个插件就要小心了哦。

Update: I came into contact with the Renren Development Staff today (31/7 0:30). I’m happy to announce that this leak has been successfully patched. Please do not try it as it will not work anymore. Although, the current patch only implements the fix described in #2, using the AJAX problem, users can still send to non-friends, and arbitarily modify the name section.

Attention all Renren.com users, the KnH Internet Security Club has just found an XSS vulnerability in one popular Renren.com app – 好友真相. If you are reading this blog post and are also using this app, please be careful about potential exploits. A successful exploit will allow a third party to insert ANY CODE (Javascript, Embed Objects…) into the App’s Page. Please be warned.

下面是错误报告的全部信息 / Below is a full disclosure of the bug :
Continue reading →