lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 07 Jun 2012 20:11:21 +0200
From: klondike <klondike@...cosoft.es>
To: full-disclosure@...ts.grok.org.uk
Subject: Netto.se arbitrary XSS injection through the
	redirector.

Background
--------------
Netto is a supermarket chain based in denmark with stores in Denmark,
Poland, Germany and Sweden. The following vulnerability affects the
swedish branch site although similar ones may affect others.

Vulnerability
--------------
The vulnerability is present on the netto.se website redirector in
http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect= 
the redirector will basically take anything except an space placed on
the redirect field and put it as is in the src attribute of the frame
field. This allows for different ways of attack including redirection to
external sites and javascript injection through the onload parameter.

Reasons for disclosure
---------------------------
The administrator of the site was contacted but didn't answer. Since the
deadline passed this disclosure is now for public release.

Also since this exploit could be abused to phish user information
through fake promotional mails I  decided to disclose it.

Example
----------
This properly crafted URL should fool IE browsers too (although I can't
ensure that) by reredirecting the user to the same redirector.

It includes both a external site redirection (to willy:s one of netto's
rivals) and a simple arbitrary javascript injection.

http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&amp;redirect=http://willys.se&quot;onload=&quot;alert(unescape('My%252520security%252520sucks'));&quot;&gt;&lt;/frameset&gt;&lt;!--


Gratz
-------
Gratz and salutations go to: Jupiter at DDTek, the Gentoo Hardened team
the PaX team, spender, Dan Rosenberg and of course my CTF team mates at
littlenuns


Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists