FlashGames.it Critical Vulnerability

Flashgames.it is the best italian free online games website, there are thousands of games and something like a million of users registerd. Everyday 180.000 people are visiting the site ignoring that it could be used as attack vector to gain their credentials.

The bug it’s located in the avatar setting and it could be a LFI bug but the owner put some filters in order to avoid such threat, nonetheless the function still vulnerable to stored xss attack because the image path it’s saved in the database. This allow a malicious user to manipolate the function and bypassing the filter due to inject his payload. In this way every user that looks at the attacker’s profile will be in danger.

If we check the source we can see the following code

<a href="setta_avatar.php?imposta=02_5_11.gif">
<img style="margin: 5px;" alt="Setta questo avatar per il tuo profilo" 
src="../multiplayer/avatar/02_5_11.gif"
 border="0px"></a>

This script send the image path to the variable  “imposta” then it will be filtered and saved in the database. Unfortunately the filter is not built in the right way, like it would have to be, thus the attacker can inject his code to get the victim login session with just a bit of javascript.

Payload:

http://www.flashgames.it/account/setta_avatar.php?imposta=“<a onmouseover=alert(/XSS/) !

In the example above I’ve just put a javascript that pop-up a msgbox (often the attackers have many resource like Shell of the Future, BeEF,  in order to maximize their actions).

If you navigate to the site and after the login sequence you return to the homepage it should be appear like this:

As you can see in the red rectangle the high-scores contains the player’s avatars so we can presume that if our imaginary attacker could scale the highscore and to positioning himself  between the first 10 players he could obtain all the users data.

Advertisements

2 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s