Update: This bug is fixed now. Details are here. I am closing comments to avoid unnecessary comments.
A bug in orkut let you add custom images to Orkut’s status update feature as shown below…
As you can see OrkutFeeds logo in above screenshot is not a standard smiley which orkut users can add as part of their status updates messages.
Here are steps to to use this bug…
- Go to your orkut profile and find status update field. Click on edit button…
- Next put code shown below in it and click update.
<img
src="http://img4.orkut.com/img/smiley/../../images/medium/607105044/71300207/pt.jpg">
Above will add OrkutFeeds logo. Now to add image of your choice…
- It must be on orkut.
- It must be on orkuts image server ex: img4.orkut.com, img3.orkut.com
Now here is the simplest way to put an image on orkuts image server. Upload any image as your profile display-pic or community pic and it will go on orkuts image server of our interest. (Note: Uploading to community is recommended)
Once you find image you are looking for on say orkut community, get its URL. Firefox users can simply right-click on an image and select Copy Image Location option from context menu. [Note: this will not work on profile pictures.]
Now once you have URL where host name is like img4.orkut.com copy entire path from first slash (/) onwards.
Ex.
For URL:
http://img2.orkut.com/images/mittel/1203938171/19587001.jpg
Copy only:
images/mittel/1203938171/19587001.jpg
Now paste copied part between :
<img src=”http://img4.orkut.com/img/smiley/../../ and ”>
So final code will be:
<img src=”http://img4.orkut.com/img/smiley/../../images/mittel/1203938171/19587001.jpg”>
You can put anything before and after final codes. Those who know HTML can easily recognize this img tag.
Copying profile picture requires opening HTML source code or using Backgroundimage Saver addon (firefox only).
Technical Details…
Some of you have noticed strange /../.. in URL. This is a standard hacking technique known as Directory Traversal attack. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. More details about this technique are here.
Now although directory traversal is not so sever thing, its presence may catch eyes of hacker community. As always in past, this may lead to a new XSS hole on orkut. Strangely in my analysis I have found many HTML tags are allowed in status update filed than desired from security point of view!
(Credit: The bug is discovered by Pranav Pareek)
15 Comments
man isnt workin wid me
pweez help man!!
Even I too failed, I used my profile image and failed, and when I used an image from album, the length of url got truncated. I did not try with community image. Let me see when free….
its working rahul..
u r cooooool
As far as I tested, it works onl with short image path, like ur community or profile DP. It does not work with album pics..! Correct me if I am wrong..
I too had noticed the change as one of my friend had his status update shown in green color.
@zorro & Pavan
Buddy you cant use any image apart from orkut community & profile display pics.
By the way if you have problem creating your own code just give us link to image on orkut you want to use and I will send you readymade code. 🙂
@nrj & Aditya
Orkut images from album are hosted on images.orkut.com server.
Only images hosted on img1/img2/img3/img4.orkut.com server can be used.
By the way thumbnails of orkut album are hosted on servers of our interest. 🙂
@Gaurav
I guess then font tag also working then…
God save orkut from another XSS attack!
I have tested it for many things, it works for font,href,img tags. And yeah, it will work for any image that is stored on orkut server. In fact, this was being used by Orkut engineers from the time this feature was launched. I just saw it in one of my buddy’s profile, who happens to work with the orkut team. 🙂
🙁 I am unable to do this..
The html tag i’ve made is
and this image is from this community
http://www.orkut.co.in/Community.aspx?cmm=4300789
@Aditya
Nice findings buddy… 🙂
@Deepak
Can we try with any other image??
thanks a lot aditya for the useful info…
i m gonna try it out,..
thanx dude.
plz help me
http://www.orkut.co.in/Community.aspx?cmm=47457297&refresh=1
i m dont able to this plz help me
@Akshay
Sent you code. Just check ur gmail account.. 🙂