Top News Sites Close Script Hacking Hole

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174173.html

By Brian McWilliams, Newsbytes
NEW YORK, NEW YORK, U.S.A.,
01 Feb 2002, 7:57 PM CST
 
A security flaw at leading online news providers MSNBC.com,
NYTimes.com, and WashingtonPost.com could have allowed attackers to
generate bogus articles using the sites.

In a demonstration of the bug, David De Vitry, an independent security
specialist, exploited the news sites to create a phony story in which
a NASA official claimed the space agency's moon landings were faked.
 
The security glitch, known as cross-site scripting (CSS), opened the
door to what experts call subversion of information attacks. Such
attacks can be used to spread false information, manipulate stock
prices, and perform other malicious acts.

At no time did the flaws, which have been corrected, allow
unauthorized users to place articles on the Web servers of the
affected sites or to edit existing pages.

To view the fraudulent stories generated from the news sites, users
would have to click a specially crafted hyperlink in an e-mail,
instant message, or on a third-party site.

In De Vitry's demo, clicking a link to the vulnerable news page pulled
content from his personal site and overlaid it on a page generated by
the news site.

Because three sites were simultaneously vulnerable to CSS attacks, a
fake news item could have gained extra credibility, according to De
Vitry.

"Imagine posting different versions of the same story involving
several news sites. It wouldn't be hard to get people to start
believing it," he said.

When notified of the security flaw today, MSNBC.com officials closed
the hole identified by De Vitry and began a sweeping review of the
site for other CSS bugs, according to Ian Marriott, director of
development for MSNBC.com, a joint venture between Microsoft and
television network NBC.

The Washington Post Company performed a similar analysis and fixed
flaws at its site today.

A CSS hole at the NYTimes.com site was closed last week, more than a
month after the news company was alerted to the problem, according to
De Vitry.

Christine Mohan, a spokesperson for New York Times Digital, the
Internet unit of The New York Times Company, said the firm
investigated the matter when contacted by De Vitry, and "prioritized
the issue accordingly."

Cross-site scripting is a well-known security issue that was widely
publicized two years ago in an advisory from the Computer Emergency
Response Team (CERT), a federally funded security information
clearinghouse.

CSS security flaws primarily affect Web pages that accept input from
users, such as forms for searching, processing credit-card
information, or logging in, according to a Feb. 2000 document at
Microsoft's technical support site.

The CSS flaw discovered by De Vitry at MSNBC.com was present in an
input form used by site visitors for e-mailing articles to other
Internet users. At the NYTimes.com site, the bug was in a search form
on its New York Today page. The WashingtonPost.com had a CSS flaw in a
page in its financial section for requesting stock quotes.

According to CERT, many Web sites remain vulnerable to CSS attacks,
and site operators do not adequately understand the threat CSS bugs
present to visitors.

Among the risks of CSS cited by Microsoft are compromises of data
integrity, interception of user input, and execution of malicious
scripts.

Earlier this month, MSNBC.com was first to report a CSS flaw
discovered by De Vitry at Citibank's C2IT.com Internet payment site
that could have enabled attackers to grab users' credit card and bank
account information.

CSS attacks are commonly launched by tricking users into clicking a
hyperlink containing special characters that loads a JavaScript
program or other data.

The Web page that appears in the victim's browser may appear to come
from the trusted site, but code injected into the page by the attacker
could perform malicious acts.

While CSS bugs are easy to correct, spotting them is difficult, and
new automated tools may be needed, said Richard M. Smith, an
independent security consultant.

Eeye Digital Security will add such a capability to the next version
of its SecureIIS product, to block CSS attacks against servers running
Microsoft's Internet Information Server software, according to Eeye
chief hacking officer, Marc Maiffret.

Marriott said MSNBC.com performed a full inspection of all of its Web
pages when CSS vulnerabilities first came to light years ago. But he
said pages since added to the site may have slipped through the
company's code review process.

This week, CSS vulnerabilities at Web sites operated by several major
Internet security companies were publicized. Such flaws have also been
uncovered at Yahoo, EBay, Microsoft, Netscape, and other high-profile
Web sites.

MSNBC.com is at http://www.msnbc.com 

The New York Times is on the Web at http://www.nytimes.com 

The Washington Post site is at http://www.washingtonpost.com 

Microsoft's article on CSS security issues is at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q252985 

De Vitry's site is at http://www.devitry.com
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.