mailing list archives
Widespread vulnerabilities in Libero.it/Infostrada.it web portals
From: rosario.valotta () gmail com
Date: 29 Mar 2007 14:28:07 -0000
Following the advisory of the XSS vulnerability found on Libero.it (italian ISP) portal,
and after the "official" response given by the portal owners which stated that in no way user accounts would be at
several other XSS vulns have been found on Libero.it/Infostrada.it portals (both are from the same provider, different
names for historical reasons).
The current post has the only aim to demonstrate that the previous vulns are not occasional and a hardening in
Libero/infostrada portals application security is really urgent
is required in order to preserve and protect users privacy.
This PoC widely demonstrate how an attacker can use another XSS vuln + a lack of access control on private Libero.it
pages for organize a phishing attack.
Step 1. On the community pages is possible, for Libero users to create a personal blog;
this blog can be administred through some admin private pages while the published blog pages are fro public use.
is a private admin page used to alert for possible errors encoutered during the publication of a blog page.
The page is XSS vulnerable:
Step 2. The attacker sends a link to the victim (e.g. inviting him to have a look at a content of his personal
The link is so made:
this links uses a second vuln of the portal that lacks of access control to private pages (a normal user should not can
access to an admin page of my blog) to redirect the user to the XSS page.
- reads the cookie of the user
- sends it to the attacker phishing site
- redirect the request to the phishin site
Step 4. The phishing site present the Libero login form, pretending the password typed is not correct.
As the redirect comes from a REAL Libero,it AUTH page the secnario is extremely realistic.....
Same XSS problems are present in www.infostrada.it servers, with a
serious XSS vulnerability exploitable in a page used for subscribe to
The parameter "tel=" for the phone number is unchecked for ANY script.
Wrong, wrong, wrong, wrong. :)
Problems in Libero are not, though, limited to JS and XSS scripts for
Infostrada.it servers are prone
to SQL errors for unchecked values:
Errors reported are prone to information leaking about Environment.
Take these lines for
SERVER_SOFTWARE=Oracle HTTP Server Powered by Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a
Same SQL problem is present in <155.libero.it> eg:
The domain 155.libero.it allows customers of Wind (a fixed and mobile
telecom Italian operator) to manage their own telephone lines.
During the authentication session attention was given only to the
security of the data transfer (HTTPS), but the security of the
application itlself was neglected.
Submitting the login the form, all data are sent to a page which
performs a first validation. This page creates a form with the data
needed for the authentication, without validating the data themselves
Usually, the entered username gets checked by the system, leaving the
password to itself, for what concerns both the length and the contents.
Therefore, it is possibile to inject, through the "password" field
A PoC of the URL is as follows:
By skillfully exploiting the XSS it is possible to lead an unexperienced
user to believe that the URL is truly secure simply because the HTTPS
protocol is being used.
Besides that, by using the JS method
onLoad="document.directLoginForm.submit();" the XSS (perhaps utilized
just to steal the authentication token) could be totally invisible to
I'd also like to report that the page is also reachable in its
unencrypted form using plain HTTP protocol.
Rosario Valotta (first vuln)
rosario.valotta at gmail dot com
Matteo G.P. Flora (second & third vulns)
Mf at matteoflora dot com
Matteo Carli (fourth vuln)
matteo at matteocarli dot com
- Widespread vulnerabilities in Libero.it/Infostrada.it web portals rosario . valotta (Mar 29)