HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #72
From team h4ck!nb3rg
New advisory by : churchy
Affected service(s): ultrashare
Severity [lmh] : low
Here we go:
===== Problem =====
The application ultrashare is vulnerable to xss attacks. When registering a new user the parameter "username" is susceptible. You can for example enter: a<script>alert('xss')</script> and will get the according popup window in the next step.
Much more fun is to enter the following tag which loads a nice image:
b<img src='http://www.online-stickers.com/images/ebay/T-Shirts/Fun-Shirts_new/cordoba2.jpg' />
===== Impact =====
Using instead of a message box an image tag that passes "document.cookie" to a foreign service, cookies can be stolen and used by an attacker with the help of an "unaware" user. As all participants here are more than just security-aware, its rather hopele
s to do that, but its a vuln all nevertheless.
===== Fix =====
There are two ways of fixing this: Either filter/escape parameters when the date is passed into the application (file: main.rb before it is passed to the db) OR before it is used as an output to the user (file: msgs.rhtml in the templates). There just esc
pe the parameter that is printed out:
<%= msg.gsub("<","<") %>
This is onyl an example-fix and more input validation must be done, which is left to the other teams :)
Rating
[2] your right. XXS is a big issue in this service.