[ISN] AOL, Yahoo, ICQ Sites Battle Security Holes

From: InfoSec News (isnat_private)
Date: Sun Sep 23 2001 - 23:24:09 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - September 21st 2001"

    By Brian McWilliams, Newsbytes
    20 Sep 2001, 11:29 PM CST
    Three leading Internet firms have fallen prey to a serious security
    bug identified more than 18 months ago.
    America Online's Shop@AOL site, along with the portal for its ICQ
    instant messaging product, and Yahoo's site for users in France, have
    been identified as vulnerable to an attack known as cross-site
    In February last year, a joint advisory about cross-site scripting was
    issued by the FBI's National Infrastructure Protection Center and the
    Computer Emergency Response Team (CERT).
    The three vulnerable sites were all reported by different individuals
    in the past seven days to VulnWatch, a new security mailing list.
    The search function on each of the vulnerable sites allows
    unauthorized users to inject HTML tags or scripts within the Uniform
    Resource Locator (URL) address of the site.
    As a result, an attacker could, for example, trick Web surfers into
    clicking on what they believe is a safe link to a trusted source in an
    e-mail or Web page. In fact, the URL could contain scripts which steal
    data input by the user and send it back to the attacker, according to
    CERT's advisory.
    Officials from the three affected sites were not available for comment
    this evening.
    According to Cabezon Aurlien of the French security portal
    iSecureLabs.com, he reported the vulnerability in Yahoo's French site
    to the firm and it has corrected the flaw.
    The flaw at ICQ.com was also still open, despite having been reported
    to the company Wednesday, according to Aurlien.
    The vulnerability at Shopat_private, which was identified by Jon
    Britton, operator of a site called BreakWindows.com, was still
    exploitable this evening, based on tests by Newsbytes.
    While Internet surfers can disable scripting in their browsers to
    protect against such attacks, CERT said the onus for correcting the
    problem falls on Web site developers.
    "None of the solutions that Web users can take are complete solutions.
    In the end, it is up to Web page developers to modify their pages to
    eliminate these types of problems," said the CERT advisory.
    CERT's advisory on cross-site scripting is online here:
    http://www.cert.org/advisories/CA-2000-02.html .
    VulnWatch is online at http://www.vulnwatch.org .
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 02:06:11 PDT