This post was imported from my really really old blog that used to be hosted on write.tjhorner.com, so some formatting might be broken.
Back to school. It sucks. But hey, I get to see how many security vulns there are in the school’s stuff. Not that I’m saying it’s a good idea to do that. Don’t.
I was on my district’s “cloud”, it’s really some software made by Stoneware. It’s really bad. Just saying. ANYWAY, I don’t like their wallpaper selection:
So, naturally, I go and see how it sends the “change wallpaper” request.
I go into DevTools, and it looks like this:
So it’s setting a property called UniversalProfileBackground to an absolute URL of the background. Simple enough, change the URL to something else!
Copied the request as cURL, changed that param to this image. Let’s see what happened!
What?! That’s not the image I wanted, but something definitely changed… let’s see the settings.
So it changed the parameter, awesome. But why isn’t it actually my wallpaper? Let’s see if it does some validation.
Huh, would you look at that, it does. Maybe I could override the path parameter by appending
&path=/images/wallpapers/thumbnails/lenovo_Gradients_Black.gif to that? Imgur doesn’t really care about the filetype, so no worrying about that.
Alright, let’s refresh.
Lo and behold, it worked! Wow. That’s really insecure. Nothing too harmful, but someone could theoretically XSS with this.
And yes, I know I could’ve just written a userstyle to do this, but this is more fun. Plus, this will update everywhere!
Tested, yeah, XSS is definitely possible. It’s also really convenient since the URL is actually inside of a script lol. So I just appended
";alert("ohai")"yo to fit in with the script. Got an alert that said ohai.