

Ask HN: Is this a XSS? What else can I do? - joakin

Hi,<p>About 3 weeks ago I was posting something to posterous and noticed that there was something weird at the top of the page.<p>Inspecting, playing around and such I figured out and inserted JS into the post, doing an alert() when the page loaded.
http://i.imgur.com/pL8W2.png<p>From what I know, and what I have read this is an XSS, Im not completely sure of which length of script could I execute but I think it could be enough to load a script from another page, and then do the malicious stuff.<p>I contacted Posterous through their Feedback form about 3 or 4 weeks ago, and I havent received an answer. Since the post still shows the alert and its not fixed they may have not read the mail or discarded it...<p>Can anybody confirm that this is dangerous?
======
nbpoole
I just took a look and there appear to be some risks associated with this
vulnerability.

If you log in to Posterous and check the "Remember me" box, it sets a cookie
scoped to .posterous.com (which means it's within the scope of this XSS). That
cookie does not have the HttpOnly flag set, which means it can be accessed via
Javascript. I'm not sure whether the auth_token cookie has any protections
against session hijacking (ie: if it's restricted to the IP that was used to
log in). If it doesn't, you can steal the cookie and log in as a user.

Outside of that, the site appears to use a cookie called
_sharebymail_session_id, which is scoped the same as auth_token but which is
marked HttpOnly, which means it can't be accessed directly via Javascript.

In order to really exploit this vulnerability, you would need to find a way to
send requests to and read responses from posterous.com, the root domain, since
that's where all the functionality is defined.

------
CWIZO
It can be dangerous yes, somebody could exploit this. Not sure who you should
contact at Posterous tho ...

------
yogeshn
Contact rich@posterous-inc.com

