[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200405271707.i4RH7EnQ032081@web121.megawebservers.com>
Date: Thu, 27 May 2004 17:07:14 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: The Dangers of Cross-Site-Scripting: Rogers Hi-Speed Internet Network [Canada]
Wednesday, May 26, 2004
Many people dismiss the dangers of cross site scripting as
nothing more than 'parlor tricks'. This is not a good idea. As
previously indicated:
[see: http://www.securityfocus.com/archive/1/348363]
when the right circumstance arises, this puny 'parlor trick' can
prove quite devastating. The following practical example
demonstrates this:
The Rogers Hi-Speed Internet Network of Canada
[http://www.rogers.com/] via cable modem appears to have a
fairly long history in the industry and some impressive numbers
if they can be deciphered:
"Rogers Cable passes 3.2 million homes in Ontario, New Brunswick
and Newfoundland, with 70% basic penetration of its homes
passed. Rogers Cable pioneered high-speed Internet access with
the first commercial launch in North America in 1995 and now
approximately 26%of homes passed are Internet customers"
For whatever odd reason it maintains a so-called "Hi-Speed"
content portal conveniently located in the time-tested Internet
Explorer security setting: 'intranet zone':
http://www/custom.jsp
draws the following:
[screen shot: http://www.malware.com/ro-geez.png 10KB]
Traversing the so-called "Hi-Speed" content portal reveals
sufficient content operational in the 'intranet zone' throughout
the majority of the site generalously laden with numerous cross-
site scripting points of entry. Quick checking of the server
[Server: Resin/2.1.9] confirms that these 'parlor trick' errors
are well documented with the indicated apparatus.
Internet:
http://hispeed.rogers.com/custom.jsp
http://hispeed.rogers.com/sports/nfl/team/report.jsp?
t=""><iframe%20src=http://www.microsoft.com/>
Intranet:
http:/www/
http://www/custom.jsp
http://www/sports/mlb/team/report.jsp?l="><script></script>
The 'intranet zone' is a step down from the 'internet zone' and
only one above our old friend the 'local zone':
[screen shot: http://www.malware.com/ro-geez.png 10KB]
Operations in this particular zone include:
- remote access to local files and folders via frames including
local resource files etc
- the old ADODB.Stream initializing with prompt instead of
failing
- many other past injection possibilities as well as any new
ones to be discovered in the future
Hammer this all together and if the aforementioned numbers are
accurate we have a whole lot of networked users ripe for the
plucking.
This is all the result of a poorly constructed website, a poorly
configured network and a ridiculously 'intuitive' thing for a
web browser so tightly woven to the operating system,
so 'clever' as to set up these zone things by itself that simply
viewing a web page will install and run your malware without
you having to do anything.
Notes:
1. Get rid of the browser once and for all
2. Contact to both corp security and generic security as well as
generic abuse and corp abuse at this particular network yields
nothing. A canned bounce to go and fill in some 'web form' on
their riddled-with-holes site.
3. Other fancy 'networks' like this may want to check their
configurations
End Call
--
http://www.malware.com
Powered by blists - more mailing lists