Update: This bug is fixed now. Details are here. I am closing comments to avoid unnecessary comments.
A bug in orkut let you add custom images to Orkut’s status update feature as shown below…
As you can see OrkutFeeds logo in above screenshot is not a standard smiley which orkut users can add as part of their status updates messages.
Here are steps to to use this bug…
- Go to your orkut profile and find status update field. Click on edit button…
- Next put code shown below in it and click update.
Above will add OrkutFeeds logo. Now to add image of your choice…
- It must be on orkut.
- It must be on orkuts image server ex: img4.orkut.com, img3.orkut.com
Now here is the simplest way to put an image on orkuts image server. Upload any image as your profile display-pic or community pic and it will go on orkuts image server of our interest. (Note: Uploading to community is recommended)
Once you find image you are looking for on say orkut community, get its URL. Firefox users can simply right-click on an image and select Copy Image Location option from context menu. [Note: this will not work on profile pictures.]
Now once you have URL where host name is like img4.orkut.com copy entire path from first slash (/) onwards.
Now paste copied part between :
<img src=”http://img4.orkut.com/img/smiley/../../ and ”>
So final code will be:
You can put anything before and after final codes. Those who know HTML can easily recognize this img tag.
Some of you have noticed strange /../.. in URL. This is a standard hacking technique known as Directory Traversal attack. The goal of this attack is to order an application to access a computer file that is not intended to be accessible. More details about this technique are here.
Now although directory traversal is not so sever thing, its presence may catch eyes of hacker community. As always in past, this may lead to a new XSS hole on orkut. Strangely in my analysis I have found many HTML tags are allowed in status update filed than desired from security point of view!
(Credit: The bug is discovered by Pranav Pareek)