Re: Cross-site scripting.
From: zeno (bugtraq@cgisecurity.net)Date: 03/26/02
- Previous message: helmut g. katzgraber: "Re: [RHEA-2002:024-23] Updated rpm packages available"
- Maybe in reply to: Berend-Jan Wever: "Cross-site scripting."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: zeno <bugtraq@cgisecurity.net> To: skylined@edup.tudelft.nl (Berend-Jan Wever) Date: Tue, 26 Mar 2002 08:34:21 -0500 (EST)
> I have recently done a "CSS marathon" and found _allmost_ every page I tried
> vulnerable within an half an hour. These include microsoft, altavista,
> google, cnet, time, ebay, amazon, netscape, yahoo and redhat. This list
> probably could have gone on forever if I had taken the time. I have
> contacted every one of them about this (except for yahoo and ebay because I
> was unable to find a contact emailaddress or feedback form; if it takes
> longer to find the contact info than to find the CSS, f#ck 'em) I am now
> awaiting their respondses.
Ebay can be reached at clalonde@ebay.com I had spoken with him in regards to a old
css hole and he was very prompt in response once I actually found it. Dunno about yahoo
on the otherhand.
Time.com's security contact can be reached at Renee_Guttmann@timeinc.com. I had found a hole
that not only allowed CSS but also SSI tag insertion into the wevsite search engine.
Of course its fixed now but it took over a month to get fixed. And yes command execution
was possible. Try emailing lists like incidents and say "security contact for "website.com"?
and you will usually get a quick response which was the case with time and me.
> Feedback on the usefullness (or futility) of a "general CSS advisory" would
> be appreciated.
Well as it is generally known CSS holes can allow potential cookie theft. I guess on larger
sites this may be more of an issue because people invest into them. Small sites you probably
sould just email the admins (if you can find them) and if not contact there isp "hey I wanted to
possibly speak with the admin of this site can you help me by giving me an email addy?". Originally
when I contacted ebay it took over 3 months to get a response. Once I did the problem was fixed within
a day. Depending on the sites general security it could perhaps open up some other issues.
PS: to the people's who email addies I gave out if your upset I did please let me know, after all
giving them out is for your benifit.
>
> Berend-Jan Wever
>
> --------------------------------------------
> CSS implications
>
> By opening a specially crafted URL in the targetted user's web browser (for
> instance when he visits your website or reads an email you sent him).
> - read anything that user can read from the CSS-vulnerable site.
> (addressbook, personal info, etc...)
> - do whatever that user can do on the CSS-vulnerable site (send messages,
> order stuff, change personal settings and passwords)
> - spoof the contents of the CSS-vulnerable site (make somebody think he is
> looking at www.foo.com while the contents of the page actually comes from
> your site www.bar.com)
>
>
>
- Previous message: helmut g. katzgraber: "Re: [RHEA-2002:024-23] Updated rpm packages available"
- Maybe in reply to: Berend-Jan Wever: "Cross-site scripting."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
