Full Disclosure mailing list archives
XSS at Citibank.co.uk
From: Andrew Smtih <andrew.rse () gmail com>
Date: Sat, 13 Aug 2005 15:38:40 +0100
Hi Full-Disclosure, I'm here to report an XSS vulnerability in one of Citibank's websites. I actually found this at a log in screen, but it's on an obscure sub domain so I don't beleive that much cookie stealing can be done from it. Phishing, however, oh good lord yes. The phishing possbilities for this XSS vulnerability are immense (did I mention the site was SSL'd?). Anyway, I informed citibank through e-mail (no response), posted it on my blog (no response, no fix..) and now I'll post it here. I've had luck on FD in contacting BankOfAmerica employees in the past, so maybe there are a few Citibank admins listening? Let's hope so. Here's the URL: https://cukehb4.cd.citibank.co.uk/CappWebApp/capp/action/lang.do?languagecode=1&countrycode=<HTML GOES HERE>&servicecode=signon&TS=1119807930296 And here's an outline (+screenshot) for if/when they fix it: http://wheresthebeef.co.uk/show.php/xss/citibank.co.uk.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS at Citibank.co.uk Andrew Smtih (Aug 13)
- Re: XSS at Citibank.co.uk Jim Duncan (Aug 13)
- Re: XSS at Citibank.co.uk bruen (Aug 14)
- Re: XSS at Citibank.co.uk Frank de Wit (Aug 14)
- Re: XSS at Citibank.co.uk bruen (Aug 14)
- Re: XSS at Citibank.co.uk Jim Duncan (Aug 13)