Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] The Dangers of Cross-Site-Scripting: Rogers Hi-Speed I

from [http-equiv@excite.com] Network Security [Permanent Link]
Subject: [Full-Disclosure] The Dangers of Cross-Site-Scripting: Rogers Hi-Speed Internet Network [Canada]
Date: Thu, 27 May 2004 17:23:45 -0000 

Wednesday, May 26, 2004

Many people dismiss the dangers of cross site scripting as 
nothing more than 'parlor tricks'. This is not a good idea. As 
previously indicated:

[see: http://www.securityfocus.com/archive/1/348363]

when the right circumstance arises, this puny 'parlor trick' can 
prove quite devastating. The following practical example 
demonstrates this:

The Rogers Hi-Speed Internet Network of Canada
[http://www.rogers.com/] via cable modem appears to have a 
fairly long history in the industry and some impressive numbers 
if they can be deciphered: 

"Rogers Cable passes 3.2 million homes in Ontario, New Brunswick 
and Newfoundland, with 70% basic penetration of its homes 
passed. Rogers Cable pioneered high-speed Internet access with 
the first commercial launch in North America in 1995 and now 
approximately 26%of homes passed are Internet customers"

For whatever odd reason it maintains a so-called "Hi-Speed" 
content portal conveniently located in the time-tested Internet 
Explorer security setting: 'intranet zone':


http://www/custom.jsp

draws the following:

[screen shot: http://www.malware.com/ro-geez.png 10KB]

Traversing the so-called "Hi-Speed" content portal reveals 
sufficient content operational in the 'intranet zone' throughout 
the majority of the site generalously laden with numerous cross-
site scripting points of entry. Quick checking of the server 
[Server: Resin/2.1.9] confirms that these 'parlor trick' errors 
are well documented with the indicated apparatus.

Internet:

http://hispeed.rogers.com/custom.jsp
http://hispeed.rogers.com/sports/nfl/team/report.jsp?
t=""><iframe%20src=http://www.microsoft.com/>

Intranet:

http:/www/
http://www/custom.jsp
http://www/sports/mlb/team/report.jsp?l=";><script></script>

The 'intranet zone' is a step down  from the 'internet zone' and 
only one  above our old friend the 'local zone':

[screen shot: http://www.malware.com/ro-geez.png 10KB]

Operations in this particular zone include:

- remote access to local files and folders via frames including 
local resource files etc
- the old ADODB.Stream initializing with prompt instead of     
failing
-  many other past injection possibilities as well as any new 
ones to be discovered in the future

Hammer this all together and if the aforementioned numbers are 
accurate we have a whole lot of networked users ripe for the 
plucking.

This is all the result of a poorly constructed website, a poorly 
configured network and a ridiculously 'intuitive' thing for a 
web browser so tightly woven to the operating system,  
so 'clever' as to set up these zone things by itself that simply 
viewing  a web page will install and run your malware without 
you having to do anything.

Notes:

1. Get rid of the browser once and for all
2. Contact to both corp security and generic security as well as 
generic abuse and corp abuse at this particular network yields 
nothing. A canned bounce to go and fill in some 'web form' on 
their riddled-with-holes site.
3. Other fancy 'networks' like this may want to check their 
configurations


End Call


-- 
http://www.malware.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] The Dangers of Cross-Site-Scripting: Rogers Hi-Speed Internet Network [Canada], http-equiv@excite.com <=
Previous by Date:  Re: [Full-Disclosure] Imaging Operating Systems, Ondrej Krajicek
Next by Date:  Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN, Jason
Previous by Thread:  [Full-Disclosure] Looking for some input, Shannon Johnston
Next by Thread:  [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames?, Alexander E. Cuttergo
Indexes:  [Date] [Thread] [Top] [All Lists]