[Full-Disclosure] TRUSTe.org Cross-Site-Scripting Phishing oppurtunities

From: Andrew Smith (stfunub_at_gmail.com)
Date: 11/08/04

  • Next message: jamie fisher: "Re: [Full-Disclosure] MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? )"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Mon, 8 Nov 2004 16:05:49 +0000
    
    

    Website: http://truste.org
    Background:
    TRUSTe® is an independent, nonprofit organization dedicated to
    enabling individuals and organizations to establish trusting
    relationships based on respect for personal identity and information
    in the evolving networked world.
    Through extensive consumer and Web site research and the support and
    guidance of many established companies and industry experts, TRUSTe
    has earned a reputation as the leader in promoting privacy policy
    disclosure, informed user consent, and consumer education.
    TRUSTe's members include eBay, Apple, MSN, NYTimes and many other big,
    scary corporations.

    Description: Truste's 'ivalidate.php' is used to validate "trusted"
    sites. Whilst the script does add slashes to quotes and closes
    <script> and <style> tags, there are a number of HTML tags it does not
    strip, including <linK>,<div>,<iframe>.
    This leaves the site open to attack from phishers wanting to make
    their site appear "trusted".

    Further information can be found here: http://wheresthebeef.co.uk/XSS/

    TrustE.org were informed of the vulnerability through various e-mail
    addresses 5 days ago, they are yet to respond or fix the problem.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: jamie fisher: "Re: [Full-Disclosure] MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? )"