| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <A4FCADDE108AD611A4A70008C7A49E0D07E08A@IDSRV10> From: msutton at iDefense.com (Michael Sutton) Subject: iDEFENSE Security Advisory 09.05.2002 - Multiple Vulnerabilities at Canada.com iDEFENSE Security Advisory 09.05.2002 Multiple Vulnerabilities at Canada.com DESCRIPTION Multiple Vulnerabilities at Canada.com websites exist that could enable an attacker to access the e-mail account or financial portfolio of Canada.com users. 1. Cross Site Scripting at http://finance.canada.com Canada.com's finance site, located at http://finance.canada.com allows users to track financial portfolios. Users enter individual stock symbols along with the quantity of shares purchased, date purchased and commission paid. The site will then track the gains and losses for the portfolio. The finance site uses session cookies to maintain state. The cookie expires when the user either closes the browser window or logs out of the site. A cross- site scripting (XSS) vulnerability exists that would allow an attacker to access the session cookies of an authenticated user. It is important to note that because session cookies are used, the victim would need to be logged into his portfolio at the time of the attack. The following URL provides a proof of concept for the attack. If an authenticated user were to click on the URL, their session cookies would be displayed in an alert window: http://finance.canada.com/bin/quote/?Symbol=%22%3C/font> <script>alert(document.cookie)</script>&x=35&y=9 2. Weak Session IDs at http://finance.canada.com While the aforementioned vulnerability details how an attacker can steal session cookies via an XSS attack, this is not necessary if the attacker knows the username of the victim. The finance site uses the following session cookie to maintain state for a logged in user: CBUSER=[username]:canada; expires=; path=/; domain=finance.canada.com Simply by accessing the finance page using this cookie with an established username in the CBUSER field, it is possible to view and edit the financial portfolio set up by a legitimate user. The user does not need to be logged in at the time of the attack. 3. Cross Site Scripting at http://mail.canada.com Like many web portals, Canada.com offers free e-mail accounts. Canada.com users can read and send e-mail messages via a web browser by accessing the http://mail.canada.com web site. A cross-site scripting (XSS) vulnerability exists that would allow an attacker to access the session cookies of an authenticated user. It is important to note that because session cookies are used, the victim would need to be logged into his e-mail account at the time of the attack. The following web page provides a proof of concept for the attack. If an authenticated user were to view the web page, their session cookies would be displayed in an alert window: <html> <head> </head> <body ONLOAD="document.forms(0).submit()"> <form method=post action="http://mail.canada.com/mail/mailbox"> <input type=hidden name="create_name" value="<script>alert(document.cookie)</script>"> <input type=hidden name="submitted" value="true"> </form> </body> </html> ANALYSIS The XSS exploits provide a proof of concept, but could easily be modified to redirect the captured session IDs to a web server controlled by the attacker. Once the attacker obtained the session IDs they could then hijack the victim's session and access either their financial portfolio or email account. Both attacks require an element of social engineering, as the victim would need to click on the URL or view the web page. This could be accomplished by sending the URL or web page to the user via e-mail. The weak session IDs used by the finance site make it trivial for an attacker to access financial portfolios established by legitimate users. The financial portfolios are not linked to brokerages and an attacker would not therefore be able to cause financial harm to the victim. However, this does present a privacy risk due to the fact that many people use this site to track established portfolios. An attacker could therefore use this attack to gain detailed financial information. By using the XSS attack for the mail site, an attacker could access the e-mail account of a legitimate user. Once the account is accessed the attacker could view the victim's e-mail messages or send messages from their account. This attack presents privacy and non- repudiation risks. DETECTION All users that have established financial portfolios or e-mail accounts at Canada.com are vulnerable. VENDOR RESPONSE Numerous attempts were made to contact the web site administrator(s) to inform them of the vulnerabilities but no response has yet been received. DISCLOSURE TIMELINE August 21, 2002 - Initial administrator contact attempted August 26, 2002 - Second attempt at administrator contact August 26, 2002 - Disclosed to iDEFENSE clients September 5, 2002 - Public cisclosure Michael Sutton, CISA Senior Security Engineer iDEFENSE Labs 14151 Newbrook Drive, Suite 100 Chantilly, VA 20151 voice: 703-344-2628 fax: 703-961-1071 msutton@...fense.com www.idefense.com
Powered by blists - more mailing lists