OSChina XSS 漏洞发现 | OSChina XSS Vulnerability

好吧,最近着迷XSS问题了,国产软件XSS漏洞真多。闲得无聊之中,上OSChina准备发日志,后来发现日志允许插入音乐,而音乐的地址是嵌入在一段JS里面的。想到了没有?XSS可能性啊! 于是这是KnH.C 发现的第二个XSS 0day漏洞了。

It has just been discovered that OSChina.net has a potential XSS exploit hole, users may introduce code not originally inside the website JS. Although users may not add code to their liking, the hole is fairly wide as it allows arbitary but limited length JavaScript injection. Using the DOM model, it is possible to inject HTML code as well. All browsers are affected.

以下是漏洞报告 / Below is a full disclosure of the bug :

Continue reading →

人人网 好友真相 漏洞通告 | Renren App XSS Vulnerability Report

更新(2011.7.31.0:30):今天终于和人人网工作人员取得联系了。比较惊奇的是“好友真相”是一个人人网内部研发的应用,不是第三方应用。现在此漏洞已经被修复,请不要尝试了。不过这个方法还是可以给任何用户发送信息的,只是做了类似第二条建议的筛查而已。期待着这个应用的完善。KnH工作室的工作在此告一段落。同时,我们要感谢可爱的Chrome娘,助力这次漏洞的快速发现。KnH还会继续关注Internet上的不安全问题,创建安全网络(不是和谐)!

以下存档:今天在许多人的“被动推荐”下,我启动了人人的称作 好友真相的 插件。出于好奇,看了看页面源代码,着实让我胆战心惊。现在发布这个文章来通告一下人人的用户,如果您还在使用这个插件就要小心了哦。

Update: I came into contact with the Renren Development Staff today (31/7 0:30). I’m happy to announce that this leak has been successfully patched. Please do not try it as it will not work anymore. Although, the current patch only implements the fix described in #2, using the AJAX problem, users can still send to non-friends, and arbitarily modify the name section.

Attention all Renren.com users, the KnH Internet Security Club has just found an XSS vulnerability in one popular Renren.com app – 好友真相. If you are reading this blog post and are also using this app, please be careful about potential exploits. A successful exploit will allow a third party to insert ANY CODE (Javascript, Embed Objects…) into the App’s Page. Please be warned.

下面是错误报告的全部信息 / Below is a full disclosure of the bug :
Continue reading →