[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4FD0EEC9.8060701@xiscosoft.es>
Date: Thu, 07 Jun 2012 20:11:21 +0200
From: klondike <klondike@...cosoft.es>
To: full-disclosure@...ts.grok.org.uk
Subject: Netto.se arbitrary XSS injection through the
redirector.
Background
--------------
Netto is a supermarket chain based in denmark with stores in Denmark,
Poland, Germany and Sweden. The following vulnerability affects the
swedish branch site although similar ones may affect others.
Vulnerability
--------------
The vulnerability is present on the netto.se website redirector in
http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=
the redirector will basically take anything except an space placed on
the redirect field and put it as is in the src attribute of the frame
field. This allows for different ways of attack including redirection to
external sites and javascript injection through the onload parameter.
Reasons for disclosure
---------------------------
The administrator of the site was contacted but didn't answer. Since the
deadline passed this disclosure is now for public release.
Also since this exploit could be abused to phish user information
through fake promotional mails I decided to disclose it.
Example
----------
This properly crafted URL should fool IE browsers too (although I can't
ensure that) by reredirecting the user to the same redirector.
It includes both a external site redirection (to willy:s one of netto's
rivals) and a simple arbitrary javascript injection.
http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=http://willys.se"onload="alert(unescape('My%252520security%252520sucks'));"></frameset><!--
Gratz
-------
Gratz and salutations go to: Jupiter at DDTek, the Gentoo Hardened team
the PaX team, spender, Dan Rosenberg and of course my CTF team mates at
littlenuns
Content of type "text/html" skipped
Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists