[ISN] Top News Sites Close Script Hacking Hole

From: InfoSec News (isnat_private)
Date: Sun Feb 03 2002 - 22:22:40 PST

  • Next message: InfoSec News: "[ISN] [infowarrior] - Comments on Recent Security Legislation Proposals"

    By Brian McWilliams, Newsbytes
    01 Feb 2002, 7:57 PM CST
    A security flaw at leading online news providers MSNBC.com,
    NYTimes.com, and WashingtonPost.com could have allowed attackers to
    generate bogus articles using the sites.
    In a demonstration of the bug, David De Vitry, an independent security
    specialist, exploited the news sites to create a phony story in which
    a NASA official claimed the space agency's moon landings were faked.
    The security glitch, known as cross-site scripting (CSS), opened the
    door to what experts call subversion of information attacks. Such
    attacks can be used to spread false information, manipulate stock
    prices, and perform other malicious acts.
    At no time did the flaws, which have been corrected, allow
    unauthorized users to place articles on the Web servers of the
    affected sites or to edit existing pages.
    To view the fraudulent stories generated from the news sites, users
    would have to click a specially crafted hyperlink in an e-mail,
    instant message, or on a third-party site.
    In De Vitry's demo, clicking a link to the vulnerable news page pulled
    content from his personal site and overlaid it on a page generated by
    the news site.
    Because three sites were simultaneously vulnerable to CSS attacks, a
    fake news item could have gained extra credibility, according to De
    "Imagine posting different versions of the same story involving
    several news sites. It wouldn't be hard to get people to start
    believing it," he said.
    When notified of the security flaw today, MSNBC.com officials closed
    the hole identified by De Vitry and began a sweeping review of the
    site for other CSS bugs, according to Ian Marriott, director of
    development for MSNBC.com, a joint venture between Microsoft and
    television network NBC.
    The Washington Post Company performed a similar analysis and fixed
    flaws at its site today.
    A CSS hole at the NYTimes.com site was closed last week, more than a
    month after the news company was alerted to the problem, according to
    De Vitry.
    Christine Mohan, a spokesperson for New York Times Digital, the
    Internet unit of The New York Times Company, said the firm
    investigated the matter when contacted by De Vitry, and "prioritized
    the issue accordingly."
    Cross-site scripting is a well-known security issue that was widely
    publicized two years ago in an advisory from the Computer Emergency
    Response Team (CERT), a federally funded security information
    CSS security flaws primarily affect Web pages that accept input from
    users, such as forms for searching, processing credit-card
    information, or logging in, according to a Feb. 2000 document at
    Microsoft's technical support site.
    The CSS flaw discovered by De Vitry at MSNBC.com was present in an
    input form used by site visitors for e-mailing articles to other
    Internet users. At the NYTimes.com site, the bug was in a search form
    on its New York Today page. The WashingtonPost.com had a CSS flaw in a
    page in its financial section for requesting stock quotes.
    According to CERT, many Web sites remain vulnerable to CSS attacks,
    and site operators do not adequately understand the threat CSS bugs
    present to visitors.
    Among the risks of CSS cited by Microsoft are compromises of data
    integrity, interception of user input, and execution of malicious
    Earlier this month, MSNBC.com was first to report a CSS flaw
    discovered by De Vitry at Citibank's C2IT.com Internet payment site
    that could have enabled attackers to grab users' credit card and bank
    account information.
    CSS attacks are commonly launched by tricking users into clicking a
    hyperlink containing special characters that loads a JavaScript
    program or other data.
    The Web page that appears in the victim's browser may appear to come
    from the trusted site, but code injected into the page by the attacker
    could perform malicious acts.
    While CSS bugs are easy to correct, spotting them is difficult, and
    new automated tools may be needed, said Richard M. Smith, an
    independent security consultant.
    Eeye Digital Security will add such a capability to the next version
    of its SecureIIS product, to block CSS attacks against servers running
    Microsoft's Internet Information Server software, according to Eeye
    chief hacking officer, Marc Maiffret.
    Marriott said MSNBC.com performed a full inspection of all of its Web
    pages when CSS vulnerabilities first came to light years ago. But he
    said pages since added to the site may have slipped through the
    company's code review process.
    This week, CSS vulnerabilities at Web sites operated by several major
    Internet security companies were publicized. Such flaws have also been
    uncovered at Yahoo, EBay, Microsoft, Netscape, and other high-profile
    Web sites.
    MSNBC.com is at http://www.msnbc.com 
    The New York Times is on the Web at http://www.nytimes.com 
    The Washington Post site is at http://www.washingtonpost.com 
    Microsoft's article on CSS security issues is at
    De Vitry's site is at http://www.devitry.com
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 02:26:38 PST