PlayNC XSS proof of concept

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 17:16 - 1
https://secure.plaync.com/cgi-bin/plaync_login.pl

That's kinda stupid the only serious XSS flaw I found on their site was right on the login page.
Gogo fix it!

Knew this for a while but I figured I'd post because I saw this thread http://www.guildwarsguru.com/forum/s...php?t=10047808.

Btw don't be ashamed plaync... blizzard got the same problem on their e-card site and it still hasn't been fixed even though I reported it like a year ago. =)

Edit: Fixed first link to work for most browsers.

Edit2: Yay it's fixed!

Kashrlyyk

Kashrlyyk

Jungle Guide

Join Date: May 2005

05 May 2008 at 17:38 - 2
What? What? What?

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 17:39 - 3
Quote:
Originally Posted by Kashrlyyk
What? What? What?
Click the linky

Kashrlyyk

Kashrlyyk

Jungle Guide

Join Date: May 2005

05 May 2008 at 17:42 - 4
Quote:
Originally Posted by pablo24
Click the linky
Did that, one leads me to this thread and the other to the PlayNC login. So what should I see there?

Aba

Aba

Wilds Pathfinder

Join Date: Dec 2006

Vancouver,Canada

05 May 2008 at 17:45 - 5
point??? dont know whats goin on.....

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 17:46 - 6
Quote:
Originally Posted by Kashrlyyk
Did that, one leads me to this thread and the other to the PlayNC login. So what should I see there?
I only tested it on firefox, you are probably using IE? Sec lemme fix the link to work for IE too.

Kashrlyyk

Kashrlyyk

Jungle Guide

Join Date: May 2005

05 May 2008 at 17:48 - 7
Quote:
Originally Posted by pablo24
I only tested it on firefox, you are probably using IE? Sec lemme fix the link to work for IE too.
Opera 9.26

Probably using IE? Should I feel insulted?
12 chars

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 17:49 - 8
Ok, edited the first link to work for most browsers.

Kusandaa

Kusandaa

Forge Runner

Join Date: Jul 2006

N/Mo

05 May 2008 at 17:49 - 9
The only thing I see that's weird on the first is the series is %20 (spaces) and some other %## I don't remember ATM...

The other link goes right back at this thread.

Can you explain the whole problem though? Is it a security flaw or something?

EDIT: clicked on the link above... wtf... O_o;;...

EDIT2: Using FireFox ATM.

Witchblade

Witchblade

Polar Bear Attendant

Join Date: May 2005

05 May 2008 at 17:50 - 10
<-- Noob,
What's going on ? ^^

Aba

Aba

Wilds Pathfinder

Join Date: Dec 2006

Vancouver,Canada

05 May 2008 at 17:52 - 11
Im still wondering myself.
used firefox,still clueless.....



Is this what your pointing too????


Quote:
Existing Customer
WHY?! Why does PlayNC have an XSS flaw right on their login page?

Alexandra-Sweet

Alexandra-Sweet

Wilds Pathfinder

Join Date: Dec 2006

That one place with the trees, mountains and snow

Ember Power Mercenaries [EMP]

Me/

05 May 2008 at 17:52 - 12
In short, pablo24 found yet another exploit in PlayNC/Guild Wars that PlayNC/Arena Net can't be arsed to fix.

Rift

Rift

Frost Gate Guardian

Join Date: Jul 2007

Canada

Virtual Love [kiSu]

05 May 2008 at 17:54 - 13
The security flaw is that their script will echo the html/javascript directly into your browser.

With this, a malicious user could steal a session from a user, or, as in the first example, redirect the unsuspecting user to another webpage in the context of the plaync website (phishing)

Why? Because sadly even web developers these days fail to understand the severity of such an attack.

Kusandaa

Kusandaa

Forge Runner

Join Date: Jul 2006

N/Mo

05 May 2008 at 17:57 - 14
Quote:
Originally Posted by Rift
The security flaw is that their script will echo the html/javascript directly into your browser.

With this, a malicious user could steal a session from a user, or, as in the first example, redirect the unsuspecting user to another webpage in the context of the plaync website (phishing)

Why? Because sadly even web developers these days fail to understand the severity of such an attack.
Thanks for giving me an explanation I can actually understand

Could that be where the possible hacker got his info from? Regarding the hacked accounts thread thingy... I say it's possible >_>.

Kashrlyyk

Kashrlyyk

Jungle Guide

Join Date: May 2005

05 May 2008 at 17:57 - 15
Quote:
Originally Posted by pablo24
Way less obfuscated, but this should work for most browsers:
https://secure.plaync.com/cgi-bin/plaync_login.pl
Thanks that worked!

Sleeper Service

Sleeper Service

Jungle Guide

Join Date: Dec 2005

CULT

05 May 2008 at 17:59 - 16
the normal site is secured and the fake not.
but yeah someone could use that to steal login and pass....ironic no?

Malice Black

Site Legend

Join Date: Oct 2005

05 May 2008 at 18:00 - 17
Less geek, more street?

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 18:01 - 18
Quote:
Originally Posted by Sleeper Service
the normal site is secured and the fake not.
but yeah someone could use that to steal login and pass....ironic no?
With some tweaking the modified site would be secure too.

Kusandaa

Kusandaa

Forge Runner

Join Date: Jul 2006

N/Mo

05 May 2008 at 18:01 - 19
Quote:
Originally Posted by Sleeper Service
the normal site is secured and the fake not.
but yeah someone could use that to steal login and pass....ironic no?
Actually if I understood correctly, the REAL site (the https: / / ) one IS flawed... flawed so much someone can redirect to that object that totally creeped me out (wasn't expecting it at all and my speakers were loud x];;; )

But I could be wrong. I'm no expert.

slowerpoke

slowerpoke

Desert Nomad

Join Date: Jul 2007

Cuba

05 May 2008 at 18:03 - 20
if this is an expolit you should prolly report it to them and not advertise it here

Anarkii

Anarkii

Jungle Guide

Join Date: May 2005

-None-

R/Me

05 May 2008 at 18:05 - 21
To put it plainly, their site is not secured against cross-site scripting, which has been a pretty basic measure in web development. Look up cross site scripting in wiki for more details

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 18:05 - 22
Quote:
Originally Posted by slowerpoke
if this is an expolit you should prolly report it to them and not advertise it here
Trust me I reported much more serious flaws than this and they never got fixed.

Alexandra-Sweet

Alexandra-Sweet

Wilds Pathfinder

Join Date: Dec 2006

That one place with the trees, mountains and snow

Ember Power Mercenaries [EMP]

Me/

05 May 2008 at 18:06 - 23
Quote:
Originally Posted by slowerpoke
if this is an expolit you should prolly report it to them and not advertise it here
pablo24 most likely already reported it and PlayNC probably ignored him (like usual) so the only way to force PlayNC to fix this is making the exploit public.

Destiny2097

Destiny2097

Frost Gate Guardian

Join Date: Nov 2006

05 May 2008 at 18:06 - 24
reminds me of the RIAA website a while back

lyra_song

lyra_song

Hell's Protector

Join Date: Oct 2005

R/Mo

05 May 2008 at 18:07 - 25
*pats No Script*

Rift

Rift

Frost Gate Guardian

Join Date: Jul 2007

Canada

Virtual Love [kiSu]

05 May 2008 at 18:09 - 26
Quote:
Originally Posted by Kusandaa
Could that be where the possible hacker got his info from? Regarding the hacked accounts thread thingy... I say it's possible >_>.
You're welcome ^^, and yes I'd say it's possible, since this technique amongst other things, can be used to steal credentials without the user ever knowing.


PlayNC needs to fix this, but as security concious users, people should:

- Never blindly follow links from emails, webpages or forums, and
- Whenever credentials are required, get to the webpage on your own (type the url in the browser)

Antheus

Forge Runner

Join Date: Jan 2006

05 May 2008 at 18:13 - 27
Ouchies....

Quote:
Originally Posted by Rift
PlayNC needs to fix this, but as security concious users, people should:

- Never blindly follow links from emails, webpages or forums, and
- Whenever credentials are required, get to the webpage on your own (type the url in the browser)
A well constructed spoof will fool even the most cautious users.

Chthon

Grotto Attendant

Join Date: Apr 2007

05 May 2008 at 18:24 - 28
For those slow on the uptake, the long and short of this is DO NOT follow any links to the PlayNC website. If you must log in to PlayNC, get there by entering the address directly into your address bar.

For those who did get it, since this one would be so easy to move from proof-of-concept to practice, let's not spell out how it works any more than Pablo already has, OK?

Kusandaa

Kusandaa

Forge Runner

Join Date: Jul 2006

N/Mo

05 May 2008 at 18:33 - 29
Dunno if it's related, but let's see.

I checked the links, then I had to reboot due to loss of sound (static electricity discharged on my desk kills my sound card and I have to reboot for it to work). When I booted Windows, SpyBot automatically loaded ("eh look at this, I have a problem ¬¬") and took a couple minutes to search through my files for possible problems. It found 19 total. Of course I ran a check yesterday for similar problems >_>.

Since then, something is trying to modify my registery and caused several CMD applications to open. A couple of .dll files from system32 are missing, and I might have to format my HDD this afternoon if I have too many problems (TBH it wouldn't hurt at all, been running without formatting for nearly 2 years).

I just find it awkward that after I click on those sites... well I'm experiencing problems I've never had before.

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 18:34 - 30
Quote:
Originally Posted by Kusandaa
Dunno if it's related, but let's see.

I checked the links, then I had to reboot due to loss of sound (static electricity discharged on my desk kills my sound card and I have to reboot for it to work). When I booted Windows, SpyBot automatically loaded ("eh look at this, I have a problem ¬¬") and took a couple minutes to search through my files for possible problems. It found 19 total. Of course I ran a check yesterday for similar problems >_>.

Since then, something is trying to modify my registery and caused several CMD applications to open. A couple of .dll files from system32 are missing, and I might have to format my HDD this afternoon if I have too many problems (TBH it wouldn't hurt at all, been running without formatting for nearly 2 years).
Nothing to do with this, look at the link yourself to see what it does.

Ctb

Desert Nomad

Join Date: Apr 2006

W/

05 May 2008 at 18:35 - 31
Quote:
pablo24 most likely already reported it and PlayNC probably ignored him (like usual) so the only way to force PlayNC to fix this is making the exploit public.
http://www.tigerdirect.com/cgi-bin/S...art=y&msg=This used to accept anything

I found that four years ago. Three years ago they still weren't sanitizing the input even after multiple complaints and a full-fledged proof-of-concept attack on the form the completely replaced their shopping cart with a form that sent data offsite. They finally fixed it within the last year or so.

Unfortunately, there's rarely any way to get directly to the website developers who can fix these sorts of things, and since business majors have no actual competencies, yet are usually the people managing the individuals who DO get the reports, it's pretty much standard procedure for this sort of report to never get into the hands of anybody who knows anything.

Sadly, this sort of incompetence is standard procedure in the business world. Remember that the next time you buy anything online...

slowerpoke

slowerpoke

Desert Nomad

Join Date: Jul 2007

Cuba

05 May 2008 at 18:43 - 32
try Gailes wiki? shes heading up support and usually follows up on things brought to her attention

cosyfiep

cosyfiep

are we there yet?

Join Date: Dec 2005

in a land far far away

guild? I am supposed to have a guild?

Rt/

05 May 2008 at 18:43 - 33
this is not helping me feel any better.....but good to know its there and that we should be even more cautious about what we do.....ugh.

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 18:50 - 34
Alright, Gaile finally sent me an email, but keep checking all the links that go to the plaync login site!

TheRaven

TheRaven

Desert Nomad

Join Date: Sep 2006

Virginia

Spirit of Elisha

W/

05 May 2008 at 19:17 - 35
I sent a PM to Regina earlier (back when this thread was 1 page long) and asked her to read this thread since I noticed that she replied in the hacked accounts thread.

She replied quickly and said that she's forwarded the info here onto Gaile and they are looking into fixing it. Hopefully something will get fixed.

Thanks for finding it pablo. I'm glad you're on our side.

Karuro

Karuro

Lion's Arch Merchant

Join Date: Apr 2008

The Netherlands, Europe

Mystic Spiral [MYST]

W/

05 May 2008 at 19:52 - 36
That.. Creeped me out o_O
Someone reassure me that there's nothing evil going on on that page?

natural_Causes

natural_Causes

Krytan Explorer

Join Date: Mar 2008

Hall of Monuments

N/

05 May 2008 at 19:56 - 37
Good find Pablo. I never would have thought to look for something like that. This is quite possibly how hackers are stealing people's accounts. It would not be to difficult to do I assume.

pablo24

Frost Gate Guardian

Join Date: Aug 2007

05 May 2008 at 19:57 - 38
You can check the code in the URL yourself, all it does is show the message asking why they have to put the XSS flaw exactly on the login page and show a frame with the content of http://plaync.justgotowned.com.

Karuro

Karuro

Lion's Arch Merchant

Join Date: Apr 2008

The Netherlands, Europe

Mystic Spiral [MYST]

W/

05 May 2008 at 20:07 - 39
I see (triple even!).
Here's to hoping NCsoft pays attention.

Solas

Solas

Desert Nomad

Join Date: Oct 2006

Ireland

Currently LF Active HA Guild, Glad 2, Comm.3, R2

E/

05 May 2008 at 20:25 - 40
gj and nice find pablo

hopefully it'll be sorted out soon