Cross-Site Vulnerabilities (Still) Found in Major Web Sites

[Watung Arif <watung () transavia co id>]

I know, this is really lame issue. But it's been almost 2 years since CERT
alerted to cross-site scripting and gave recommendations on how to prevent
such attacks. Yet, major web sites still overlook the possibility that a
client may send malicious data intended to be used only by itself. 

Yahoo, MSN, AOL, Lycos, and Excite suffer from such attack. For example,
accessing the URLs below will cause the JavaScript code to be executed in
the browser server's domain:

http://groups.yahoo.com/group/<script>alert('Test')</script>

http://dictionary.msn.com/find/entry.asp?refid=1861719334&apos;><script>alert('Te
st')</script>&wwi=100908

http://affiliate.aol.com/affiliate/signupform.adp?siteid=12345678";><script>a
lert('Test')</script>

http://ldbreg.lycos.com/cgi-bin/mayaLogin?m_CBURL=http%3A%2F%2Fmy%2Elycos%2E
com%2Freg%2Fdomayalogin%2Easp"><script>alert('Test')</script>

http://registration.excite.com/excitereg/<script>alert('Test')</script>.jsp


The attacker could use this ability to retrieve the HTTP cookies which those
sites use for user authentication. 

Qpass is an interesting example on how bad the impact CSS could be. It is an
online content delivery and payment system used by companies such as New
York Times, Time, Forbes, Morningstar and AT&T intended to process online
purchases securely. Holding very sensitive information such as users' credit
card numbers, Qpass' FAQ says that it "has earned the highest security marks
from multiple third-party auditors including Ernst & Young, Dow Jones, and
American Express." Surprisingly enough, most inputs in their web pages are
not validated to prevent malicious HTML from being presented to the user.
Just show you how it might be done:

Through the following URL, for example, a login page for NYT's article
purchases will be presented, along with a JavaScript code executed:

https://member.qpass.com/QpassLogon.asp?BrandingID=0&ReturnUrl=/macwelcome.a
sp&QEnt=0%2E0%2E0%2E1+%2Faccount+912371&QPCU=test&Qaff="><script>alert('Test
')</script><

In this case, even the second authentication process will then require user
to supply his/her email address correctly, the vulnerability would still
allow an attacker to trick users into revealing a complete login
information, i.e. user id, password, and email address. For example,
crafting a special URL as below will allow the second code to be executed in
the email authentication page:

https://member.qpass.com/QpassLogon.asp?BrandingID=0&ReturnUrl=/macwelcome.a
sp&QEnt=0%2E0%2E0%2E1+%2Faccount+912371&QPCU=test&Qaff="><script>alert('Test
1');document.ThisFormName.QPCU.value='"><script>alert(\'Test2\')<\/script>'<
/script><

These bugs affect potentially those sites users. They should examine their
programs to ensure proper input validation. The CERT advisory and tech tips
associated with it are certainly useful when mitigating such attacks. They
are available at:

http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html

Note: All vendors has been notified.


Cheers,
Watung Arif