Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

H4-CREW-000003 Advirosy: Superclick XSS via popup.php
From: tHe cReW <h4xorcrew () gmail com>
Date: Thu, 3 Nov 2005 17:03:59 -0800
H4-CREW-000003 Advirosy: Superclick XSS via popup.php
Software: Superclick servers on the internet
Discovered by: h4 Crew
severety: moderates
investigations by the H4-Crew


Impacts.

[1]cookie theif
[2] hijacking XSS proxy (xssproxy.sourceforge.net)


Discussion
=========
H4-CREW-000003 Superclick Cross-Site Scripting

The Superclick offers high-speed internet connectivity to the
hospitality industry, providing internet accesses to an estimated 160
hotels with more than 20,000 rooms. Superclick offers the SIMS
(Superclick Internet Management Server) for internet access, but also
operates a number of public access proxy servers which integrate in to
browser toolbar functions when guest sign-on occur. The popup.php
script that runs on public Superclick servers is vulnerable to
Cross-site Scriptings.

[1] XSS
------------

The php script popup.php is vulnerable to the cross-site scriptings in
the "url" parameter.

/superclick/popup.php?toolbar=1& popup=0&url=<script>alert("PWND")</script>

These server do not filter access by IP address, so a link to the
server that any user follows will be redirected by the Superclick
scripts. This makes the Cross-Site Scriptings more serious because any
user could be affected by the reflected kind if any link points to a
vulnerable Superclick gateway. So this cross-site scriptings could
effect users who are not using the Superclick site for internet
access, but follow a link in a forum or email.

[2] Privacy concerns
-------------------------------
The superclick public gateways appear to cache some user web browsing
habits as evidence of the google search which reveals pages which the
Superclick has redirected users too.  The extent to whether lots of
user data is cached is also not known.

inurl:/superclick/popup.php

Solution
-----------
none at this time.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • H4-CREW-000003 Advirosy: Superclick XSS via popup.php tHe cReW (Nov 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]