Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zer0Lulz. Show all posts

XSS Vulnerability in weather.CNN.com


Hacker known as Zer0Pwn, from Zer0Lulz , come with more vulnerability in CNN website.  Today, he found Cross Site Scripting vulnerability in weather.cnn.com website.

The map.jsp page in the weather.cnn.com allows an attacker to run his own javascript code.  An attacker can use this vulnerability for hijacking cookies, phishing attack.    

Poc:
weather.cnn.com/weather/maps.jsp?region=na&mapview=sat%22%3E%3C/Zer0Lulz%3E%27-/%22/-%3Cimg%20src=%22LULZ%22%20%22%3E%3Cbody%20onmouseover=alert(%22XSS%22);%3E
Yesterday, Hacker found Remote File Inclusion(RFI) vulnerability in CNN website.



Remote File Inclusion(RFI) vulnerability in CNN.com

Hacker known as Zer0Pwn,from Zer0Lulz, claimed that they discovered Remote File Inclusion(RFI) vulnerability in CNN website, one of famous Online global news provider.


Hacker provided a link to prove RFI vulnerability in CNN.com. He managed to inject his own Image in the CNN website.  Hacker claimed there is possibility to inject PHP or any other file. If so, then hacker can inject the PHP shell and deface the site.  (Reference: Remote File Inclusion).


60 High Profile sites vulnerable to XSS ~Zer0Freak(Team Intra):Op#Zer0XSS

A hacker from Intra, -Zer0Freak-, has found countless XSS vulnerabilities on high profile websites i.e. Companies, News, Products, Famous sites and many more.

-Zer0Freak- didn’t take much time finding them; he was to have said that he found these vulnerabilities in less than 30 min. However, he admitted that he took a while trying to figure out which site to XSS.

Cross Site Scripting(XSS) is a very harmful method of hacking websites, in fact it’s the 2nd most malicious act against hacking websites.

High profiles sites including EA games, NASA, ABC, LG,Adidas,Harvard University and more high Profile sites are found to be vulnerable to XSS attack.  Hacker list of vulnerable sites in pastebin with screenshot:
http://pastebin.com/Np3LGY6Z

Hacker claimed that he did this operation for Educational XSS and malicious activity used for training. Some of them are patched, but most are still vuln

Hacker published the full disclosure in pasteit website with password protection and claimed only members who willing to learn XSS can have it.

Full Disclosure Can be found here
http://pasteit.com/16958

Zer0Lulz & TeamHav0k discovered XSS vulnerability in Top 10 Universities: #OPBig10

The well known Grey hat hacker groups Zer0Lulz and TeamHav0k joined and launched an operation called "#OP Big10".  Big10P was an operation to make colleges and universities aware that even the best colleges in the world are still insecure.

As part of the operation, they identified Cross site scripting(XSS) Vulnerabilities in Ten popular university websites.   The university Northwestern uinv ,Purdue univ,University of Illinois,University of Michigan,Penn State,University of Minnesota,University of Wisconsin,Ohio State ,University of Iowa and Indiana University are vulnerable to XSS attack.

Hackers listed some university website as High risk websites, those sites can be used to steal cookies from users.They also provide a proof of concept(POC) in pastebin release.

Cross Site Scripting vulnerability found in MIT by Zer0Lulz


Well known Hacker group Zer0Lulz member Pi has found a XSS in the official MIT college site. It is currently un-patched. XSS, also known as Cross Site Scripting, is an attack where a person can execute code on a website. Because this is non-persistent, a person would have to social engineer another person into visiting the link.

For example,
User 1: Hey bro, check out this site; http://www.google.com/somethinghere.php?id=

User 2 would then click the link and have his cookie, or whatever information the attacker made thescript to do, would be sent to the user. This is called cookie hijacking.For being such a big college, MIT should really step up their security. It is incredible how little security websites have these days.
Security is merely an illusion.

Poc:
http://events.mit.edu/searchresults.html?fulltext=%22--%3E%3Cscript%3Ealert%28%27Pi[Zer0Lulz]%27%29%3C%2Fscript%3E&andor=and&start.month=01&start.day=25&start.year=2012&end.month=02&end.day=25&end.year=2012

7800 Emails compromised by Zer0Lulz

Hackers Group "Zer0Lulz" has dumped a database full of over 7800 Emails and Passwords. They published the preview of dump in pastebin and the full dump is uploaded in 4shared.com. The dump has user email id, encrypted passwords.


They got this database by attacking the www.dvdfuture.com site with SQL injection attack method.

Pastebin Leak:
http://pastebin.com/MFrYSxuf