Top Security Sites Easy Prey To Script Attacks - Update

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174085.html

By Brian McWilliams, Newsbytes
PITTSBURGH, PENNSYLVANIA, U.S.A.,
30 Jan 2002, 7:29 PM CST
 
Web sites operated by several leading Internet security organizations
are vulnerable to an old but serious security flaw known as the
cross-site scripting (CSS) attack.

A cursory survey today revealed that the corporate home pages of
security software vendors including Network Associates, Kaspersky Lab,
Trend Micro, SonicWall, and Command Software, were all susceptible to
CSS attacks.
 
Nearly two years ago, the Computer Emergency Response Team (CERT)  
warned Web developers to prevent their sites from being abused through
CSS attacks. According to CERT, the presence of CSS vulnerabilities
can be exploited by malicious third parties to perform an array of
attacks on site users, including theft of passwords, credit card
numbers, browser cookies, and other private data.

Also vulnerable to CSS attacks is the Web home of Internet Security
Systems (ISS). Eeye Digital Security and SecurityFocus.com recently
repaired a CSS flaw at their Web sites. The CSS bugs at all three
sites were identified Tuesday in a posting by a participant nicknamed
"Phinegeek" on Vuln-Dev, a security mailing list operated by
SecurityFocus.

The failure of many major Web sites to fix their CSS vulnerabilities
prompted the Computer Emergency Response Team last week to warn
Internet users that self-defense may be their only protection against
privacy- and security-stealing CSS attacks.

Besides high-profile security sites, instances of CSS vulnerabilities
have recently been reported at top e-commerce and portal sites,
including AOL, Citibank, Microsoft, Yahoo, EBay, MSN, Excite, and
Lycos.

In his search for security sites with CSS holes, Phinegeek also found
that the Web site operated by the U.S. Social Security Administration
is vulnerable to CSS exploits.

CSS attacks are commonly launched by tricking users into clicking on a
specially crafted link in an e-mail message or on a third-party site.

The Web page that appears in the victim's browser may appear to be
coming from the trusted site, but code injected into the page by the
attacker could perform malicious acts.

Security experts classify CSS vulnerabilities as "user input
validation" flaws and advise sites to properly filter commands issued
by visitors so that intruders are unable to cause the site to send a
page containing the attacker's malicious code to a victim's browser.

Sites vulnerable to CSS attacks can be easily identified by submitting
a short string of code containing JavaScript commands to the site's
search engine.

ScreamingCSS, a free scanner that spiders the pages of a site
searching for CSS vulnerabilities, was released earlier this month by
David De Vitry, a security consultant who has crusaded to get big
sites to repair their CSS holes.

Recently Citibank closed a CSS vulnerability identified by De Vitry at
the bank's C2IT.com Internet payment site that enabled attackers to
grab users' credit card and bank account information.

Since sites appear oblivious to the CSS threats against their users,
Microsoft should re-design its Internet Explorer Web browser to
prevent JavaScript code from accessing browser cookie files, according
to Richard M. Smith, an independent security and privacy expert,

"The simple change would prevent hackers for doing account hijacks,
one of the main dangers of cross-site scripting," wrote Smith in a
list of security recommendations to Microsoft Chairman Bill Gates
earlier this month.

Phinegeek's posting to Vuln-Dev is at
http://www.securityfocus.com/archive/82/252894

CERT's 2000 advisory on CSS attacks is at
http://www.cert.org/advisories/CA-2000-02.html

De Vitry's Web site is at http://www.devitry.com/holes.html 

Smith's letter to Gates is at 
http://www.computerbytesman.com/security/bill1.htm 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.