XSS Vulnerability at thefacebook.com

Not surprisingly, ``thefacebook'' <http://www.thefacebook.com/> contains an XSS hole.  Basically, the signup form for paid announcements lets you add a school to display the announcement at.  The script that adds the school accepts the name of the school as the "add" argument.  Any HTML can be injected here, leading to an XSS exploit.  Here's a sample injection:

http://www.thefacebook.com/announce.php?step=1&add=
<script>
var c = document.cookie;
alert("Security hole. ");
document.write("Your cookie is: <b>");
document.write(c);
document.write("</b>.<br><br><h1><font color=red>All of your personal information has been compromised.</b></font></h1></html>");
</script>

(pretty printed for easy analysis; put everything on one line to test this)

This can be used to steal a user's session cookie if you can convince him to click the link.  That should be easy since thefacebook.com often sends e-mails saying "click here to join XYZ group".  Just make one look convincing and you can conceivably obtain the personal information of anyone at the school that that user attends.  Seems like an excellent way to harvest e-mail addresses, cell phone numbers, AIM screennames, etc.

Obviously you would need to modify the above script to do this; the code above prints the user's cookie, displays a dialog that says "Security hole.", and writes "All of your personal information has been compromised." to the screen in a scary red font.  

For those just tuning in, the usual way of exploiting XSS holes is to load an image or iframe from a site you control with the output of document.cookie in the URL somewhere.  Then you can extract the stolen cookies from your access log.  Even more fun is load a remote perl script and send the cookie as the argument.  Then your script can call curl --cookie "example=cookie" and get a privileged page.  Then you can parse it and display key facts back to the user (via an iframe). For example, you could write: "Your personal information has been stolen.  Your girlfriend's phone number is 123.456.7890"  Perhaps this will teach users not to supply their personal information to an insecure, untrusted site that presumably profits from allowing other people to view this information!

In addition, it also seems like this hole can allow you to get a discount on their advertising rates.  For example, adding the school named 'Ill.%20Chicago%20<b>' will reduce the ad rate from $12 to $10 (at the time of this writing; the web form looked like it would have let me pay $10 for an ad at "Ill. Chicago").

The latest version of this advisory is available at: 
<http://www.uic.edu/~jrockw2/20050207_facebook.txt>