--

[Boris007]

--

[Vod]

Good on you for exposing this before some hacker took advantage.

OG has been reminding me how I couldn't secure my hobby site, and he makes the same mistake while holding other people's coin.  :/

[ChuckBuck]

I am curious to know what OG will do after this thread  I am also concerned that if what OP says really exists, has anyone taken advantage of it? Specifically this

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

OG has been reminding me how I couldn't secure my hobby site, and he makes the same mistake while holding other people's coin.  :/

I thought that you and OG weren't really close, there was some conflict between you and him. Are you still talking to each other? 

[Boris007]

I am curious to know what OG will do after this thread   I am also concerned that if what OP says really exists, has anyone taken advantage of it? Specifically this

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

Why don't you try it yourself??

1. Go to: https://analyzer.nastyfans.org/?s=1

2. Inside the search, paste:  

Code:

"><script>alert('Boris007 was here')</script>

3. Press submit and see the XXS being execute.
___________________________________________________

You simply cannot go to every search button and paste the script to check if the pop up comes or not, you need to dig inside the code to find if there is any reflected parameter or not, how does the sanitizer for the current website works..etc.

That is why I pasted so many screenshots as I was doing research on the website for the vulnerability bounty, but all in vain.

So far what I have tried on bitcointalk, believe me bitcointalk has some of great script protection. I have tried a lot to execute all kinds of XSS but it blocks me. I hope theymos is paying too much to cloudflare.
Bitcointalk has some smart sanitization for every input but just not for merit where 1ds as merit amount will surely let you spend 1 merit but ds1 won't.
On top of all, it is the attitude of a person, theymos has always entertained me for any problem that I have ever reported to me, unlike saying don't tell me I don't operate the site.

[suchmoon]

I am also concerned that if what OP says really exists, has anyone taken advantage of it?

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

[Boris007]

I am also concerned that if what OP says really exists, has anyone taken advantage of it?

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

Nastyfans is vulnerable to  CWE 601 open redirect vulnerability too.

To anawer your question , tgey dont have 2fa or even a email.confirmation system.

[ChuckBuck]

To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled.

It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? 

[bob123]

Effect:

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

What you have shown is "just" a reflected XSS, not a persistent one.
You would need to send the URL with the injected code as a parameter to a person. That person would need to click on that link and have JS enabled for the script to be executed.

You can't inject a script into the server this way. And you definitely can't steal data from the server with this method.

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

This still depends on whether and how the same-origin-policy is implemented.

[suchmoon]

It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? 

It's all explained in great detail here.

This still depends on whether and how the same-origin-policy is implemented.

True. It's not quite as simple as I made it sound.

[Vod]

Very sloppy work.   While spending a few minutes, I clicked on his analyzer link, and it nicely analyzed some of the projects he was involved with over the years.

http://www.uberbills.com/

[nutildah]

It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? 

It's all explained in great detail here.

That's a decent explanation but I prefer this one. You have to listen to at least 40 seconds of it to get its full implication.

[Quickseller]

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

[NotATether]

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

Do we know who is administrating the nastyfans.org site right now? The NastyFans service is being run by OgNasty but his thread says someone else made that website:

Bitcointalk user nonnakip has started a website for NastyFans where members can trade seats using an auction.

nonnakip has been inactive since last April so I'm not sure whether he's still managing the site today.

[Quickseller]

The analyzer site appears to be run by naypalm who was active in the last week.

In any case, I don’t think someone not logging in for a long time is a reason to not make an attempt to disclose the vulnerability, even if they don’t actually receive the message or act on it.

[Vod]

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

Do we know who is administrating the nastyfans.org site right now? The NastyFans service is being run by OgNasty but his thread says someone else made that website:

Bitcointalk user nonnakip has started a website for NastyFans where members can trade seats using an auction.

nonnakip has been inactive since last April so I'm not sure whether he's still managing the site today.

I sent a PM to naypalm last night, in case he is not aware of this thread.

[hacker1001101001]

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

[bob123]

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

According to this:

Why don't you try it yourself??
1. Go to: https://analyzer.nastyfans.org/?s=1
2. Inside the search, paste:   

Code:

"><script>alert('Boris007 was here')</script>

3. Press submit and see the XXS being execute.

I believe he initially posted it here and calls that a "responsible disclosure".

I wonder whether he got the permission to look for vulnerabilities from the server owner/administrator and hoster.

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

It is not just "not good", but illegal.

[Boris007]

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

According to this:

Why don't you try it yourself??
1. Go to: https://analyzer.nastyfans.org/?s=1
2. Inside the search, paste:   

Code:

"><script>alert('Boris007 was here')</script>

3. Press submit and see the XXS being execute.

I believe he initially posted it here and calls that a "responsible disclosure".

I wonder whether he got the permission to look for vulnerabilities from the server owner/administrator and hoster.

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

It is not just "not good", but illegal.

The requested person was informed before disclosing it here.

[Vod]

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

OP could have done damage if he wanted - or sold the info.  He did the moral thing, and there is nothing illegal about it.

[bob123]

The requested person was informed before disclosing it here.

That's not responsible disclosure.

How much time did you give him to fix any vulnerabilities before publicly disclose them?

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

OP could have done damage if he wanted - or sold the info.  He did the moral thing, and there is nothing illegal about it.

Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.