MoTB #15: CSRF+XSS vulnerabilities in Slandr
What is Slandr
"Slandr delivers an enhanced mobile site for twitter, with: replies, direct messaging, etc.." (Slandr about page)
Twitter effect
Slandr can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Slandr is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
27th place in the most used twitter clients, according to “TwitStats” - 3 twits
Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The Slandr index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Slandr web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The Slandr search page did not encode HTML entities in the "search" form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E
Screenshot:
Vendor response rate
The vendor have published a blog post about these vulnerabilities.
The vulnerabilities were fixed 2 days after they have been reported. Good - 4 twits.
"Slandr delivers an enhanced mobile site for twitter, with: replies, direct messaging, etc.." (Slandr about page)
Twitter effect
Slandr can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Slandr is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
27th place in the most used twitter clients, according to “TwitStats” - 3 twits
Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The Slandr index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Slandr web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The Slandr search page did not encode HTML entities in the "search" form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E
Screenshot:
Vendor response rate
The vendor have published a blog post about these vulnerabilities.
The vulnerabilities were fixed 2 days after they have been reported. Good - 4 twits.
1 Comments:
great :>
another one here
http://m.slandr.net/election.php?status=XSS
see:
http://img27.imageshack.us/img27/9677/59699171.png
btw;the same on search module and what about this? http://m.slandr.net/election_twitvote.php
Post a Comment
<< Home