Free Porn, no lie! Login to Kupika  or  Create a new account 

This diary entry is written by neoeno. ( View all entries )
Previous entry: Podcast Episode 3 in category KPod
You can also go directly to the previous entry in category (general)

Free Porn, no lie!Category: (general)
Thursday, 15 March 2007
12:32:38 AM (GMT)

Oh, and if that doesn't work, you'll have to click here to get the full social
engineering experience ^_^

< <ahref="http://javascript:alert('hey')" style="white-space: normal;">a

So yah, this is my demonstration of a few insecurities in kupika. If you're still
reading this, it means you're (probably) not running Internet Explorer 6, good on
you, only the link will work. You might think "Hey, I'll never click on a bad link",
not that simple, you can be tricked into doing it (free porn, anyone?). All this code
does, however, is to add me to your friends (Samy style)

The implications of these security holes are moderate. If you're not using IE6, then
you'll have to click a link for it to work. If you're using IE6, potentially a virus
could spread rather quickly (by implanting the code into the profile of the victim).
Either way, you could be subject to targeted attacks (someone who wants you
specifically), where someone might change your password or perform any kind of
action. One interesting thing would be to set up a page where (if a link is clicked
or you are using IE 6), many kupipoints would transfer to my account. Just a few
ideas of what could happen.

Oh, and to make this clear, I bare no ill-intentions. Which is why this is
comparatively harmless  Either way, Hina should take a look at the issues I
uncovered, lest someone put them to a more malicious use.
Last edited: 15 March 2007

hina says :   19 March 2007   412536  
Thanks a lot for reporting this!
Your diary entry was published right after I left for vacation, which
explains the delay in fixing the problem. I have just returned from my
vacation =)

I didn't know JavaScript can be embedded in IMG SRC! and about the
HREF... Yeah, I missed that one :p

... comments will be continued on your next entry

Next entry: Kupika Vulns in category (general)
Related Entries
aartee_sharma: My friend in need of kupipoint's. Kupipoint's
‹tea-anna›: Generous KupiPoint Donations.
Emo_Luv_16: Just a simple one
Margarette: Hi

About Kupika    Contact    FAQs    Terms of Service    Privacy Policy    Online Safety
Copyright © 2005-2012