lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 17 Nov 2008 13:12:14 -0700
From: dateline@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: Bad CNN. No cookie for you!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear CNN,

I recently discovered a security vulnerability on the www.cnn.com
website. I believe the vulnerability can be used by a remote user
to
alter content on www.cnn.com.

On 10 Nov 2008, I wrote to four email address at cnn.com and
turner.com. Unfortunately, none of the email address responded --
two
of the addresses bounced. I have no alternative except to go public.

The vulnerability is due to a failure to properly taint parameters
passed to the server. The parameters can be used to pass in
server-side scripting code.

Bad CNN. No cookie for you!

The US edition of CNN has a service under "CNN.com Extras" called
"My
recently viewed pages" (scroll down the main page, it is on the
right). Clicking on it shows the last 10 CNN.com pages you visited.

I originally looked at this because I wanted to see if there were
any
privacy issues. There are none, except for a big server-side
exploit.

The tracking is done in a cookie variable for "www.cnn.com" called
"js_memberservices.mrv". It is set whenever you click on an article
(so click on an article first, then click the back button to go
back
to the main page). The cookie value is a URI-encoded string. For
example:

%7Bvalue%3A%22Bond%2C%20fangs%2C%20dogs%20and%20DiCaprio%3A%20Holida
y%
20movies%20roll%20out%20-
%20CNN.com%7Chttp%3A//www.cnn.com/2008/SHOWBI
Z/Movies/11/17/holiday.movies/index.html%7C%7CCommentary%3A%20Can%20
Mc
Cain%20be%20Obama%27s%20friend%20in%20Congress%3F%20-
%20CNN.com%7Chttp
%3A//www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index.html%22%2C
ex
pireDate%3A1234567891011%7D

This decodes as:
{value:"Bond, fangs, dogs and DiCaprio: Holiday movies roll out -
CNN.com|http://www.cnn.com/2008/SHOWBIZ/Movies/11/17/holiday.movies/
in
dex.html||Commentary: Can McCain be Obama's friend in Congress? -
CNN.com|http://www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index.
ht
ml",expireDate:1234567891011}

Vertical bars are used to separate fields and two of them separate
records. Most of the URI-encoding is not essential.

Each record has two items:
A text title that is displayed in "My recently viewed pages".
A URL for the hyperlink.

Neither of these values appear to be filtered.
HTML tags, Javascript, and quotes are all permitted.

Normally this would be a client-side self-imposed attack. Anything
you put in your cookie comes back to you. Unless you have an
exploit
to edit another domain's cookie, this is harmless since you only
hack
yourself.

However... server-side scripting also appears to work. And if the
double quotes are not properly matched, then the query fails
(meaning
that they are not properly quoting the variable on the server side).

The potential exploits range from posting false news stories to
totally p0wning www.cnn.com.

Too bad CNN decided not to reply and forced this to go public.

PS. Hey CNN! Don't forget to also fix the "js_user_topics" cookie!

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFJIcUO/SGqjFZqH0kRAmhjAKCKb/LWAAln6alZ073SYrwHAPgwUwCgjP8m
kpn5L0pthvJfJEbIq/1Z5UM=
=TTRW
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkkh0B4ACgkQ/Ikpqp7FIXcD0wQAy3weU+qdsCP/GLFiy/OHGW4TkM8t
85mPhpBMEVlEz9KVSLW5JxVFWDnmk5VDqhPBHLa82TscjYABU8g/brxFgQTjnBcpJbe0
keuAK1eh2WSXyAFuc6FC937PE4SaXcDni1Yx7860Ekxd75at3p83rDacM9nUtu/av1QB
tinn1fY=
=4bXY
-----END PGP SIGNATURE-----

--
Free information on becoming a Graphic Designer. Click Now!
http://tagline.hushmail.com/fc/PnY6qxunKh4BH7RfuD0I4MwJpvLmcWHMb8ZZnO5qQPBlqnOOefPB2/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ