Home page logo

fulldisclosure logo Full Disclosure mailing list archives

TRUSTe.org Cross-Site-Scripting Phishing oppurtunities
From: Andrew Smith <stfunub () gmail com>
Date: Mon, 8 Nov 2004 16:05:49 +0000

Website: http://truste.org
TRUSTeĀ® is an independent, nonprofit organization dedicated to
enabling individuals and organizations to establish trusting
relationships based on respect for personal identity and information
in the evolving networked world.
Through extensive consumer and Web site research and the support and
guidance of many established companies and industry experts, TRUSTe
has earned a reputation as the leader in promoting privacy policy
disclosure, informed user consent, and consumer education.
TRUSTe's members include eBay, Apple, MSN, NYTimes and many other big,
scary corporations.

Description: Truste's 'ivalidate.php' is used to validate "trusted"
sites. Whilst the script does add slashes to quotes and closes
<script> and <style> tags, there are a number of HTML tags it does not
strip, including <linK>,<div>,<iframe>.
This leaves the site open to attack from phishers wanting to make
their site appear "trusted".

Further information can be found here: http://wheresthebeef.co.uk/XSS/

TrustE.org were informed of the vulnerability through various e-mail
addresses 5 days ago, they are yet to respond or fix the problem.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • TRUSTe.org Cross-Site-Scripting Phishing oppurtunities Andrew Smith (Nov 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]