AOL, Yahoo, ICQ Sites Battle Security Holes

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/170347.html

By Brian McWilliams, Newsbytes
DULLES, VIRGINIA, U.S.A.,
20 Sep 2001, 11:29 PM CST
 
Three leading Internet firms have fallen prey to a serious security
bug identified more than 18 months ago.

America Online's Shop@AOL site, along with the portal for its ICQ
instant messaging product, and Yahoo's site for users in France, have
been identified as vulnerable to an attack known as cross-site
scripting.

In February last year, a joint advisory about cross-site scripting was
issued by the FBI's National Infrastructure Protection Center and the
Computer Emergency Response Team (CERT).

The three vulnerable sites were all reported by different individuals
in the past seven days to VulnWatch, a new security mailing list.

The search function on each of the vulnerable sites allows
unauthorized users to inject HTML tags or scripts within the Uniform
Resource Locator (URL) address of the site.

As a result, an attacker could, for example, trick Web surfers into
clicking on what they believe is a safe link to a trusted source in an
e-mail or Web page. In fact, the URL could contain scripts which steal
data input by the user and send it back to the attacker, according to
CERT's advisory.

Officials from the three affected sites were not available for comment
this evening.

According to Cabezon Aurlien of the French security portal
iSecureLabs.com, he reported the vulnerability in Yahoo's French site
to the firm and it has corrected the flaw.

The flaw at ICQ.com was also still open, despite having been reported
to the company Wednesday, according to Aurlien.

The vulnerability at Shop () AOL com, which was identified by Jon
Britton, operator of a site called BreakWindows.com, was still
exploitable this evening, based on tests by Newsbytes.

While Internet surfers can disable scripting in their browsers to
protect against such attacks, CERT said the onus for correcting the
problem falls on Web site developers.

"None of the solutions that Web users can take are complete solutions.
In the end, it is up to Web page developers to modify their pages to
eliminate these types of problems," said the CERT advisory.

CERT's advisory on cross-site scripting is online here:
http://www.cert.org/advisories/CA-2000-02.html .

VulnWatch is online at http://www.vulnwatch.org .



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.