[23741] in bugtraq
C2IT.com Cross Site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (security@devitry.com)
Mon Jan 7 17:27:37 2002
Date: 7 Jan 2002 16:07:50 -0000
Message-ID: <20020107160750.29363.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <security@devitry.com>
To: bugtraq@securityfocus.com
Summary
CitiBank's online cash site, C2IT.com, has
substantial vulnerabilities
to Cross Site Scripting. The site is similar to PayPal
in that it
lets users attach Bank and Credit Card account to
this online system.
Users can then "send" cash to any user via their
email address.
The site leaves nearly every form field un-filtered.
The site also
displays credit card numbers, bank account
numbers, security codes
and other data with no obfuscation. This info is then
available to
javascript through cross site scripting. Citibank
was notified 4
months ago about problems with their sites and
many times since,
however, no noticeable actions have been taken
yet.
This alert documents two sample attacks:
-Gaining access to user's credit card and bank
account numbers
-Scripting cash transfers out of users accounts
and/or credit cards
Details
http://www.devitry.com/c2it-security.html
I'm not posting the javascript examples here as
many email servers now reject email with even the
hint of javascript in them. (Hmm, maybe that is a bad
thing if someone is not actually getting what may be
an important email?)
-dave
devitry.com
