[ml] Blu-express / EvolaVia / jet2.com e molte altre compagnie aeree Vulnerabili a XSS

Tue, 30 Oct 2007 11:51:29 -0800 

SecurityFocus = http://www.securityfocus.com/archive/1/482987

Purtroppo ho provato a contattare per un'intera settimana sia la ditta 
fornitrice del software (airkiosk appunto) sia le compagnie aeree (vedi 
Bluexpress) che non hanno neanche considerando il mio avviso.

Non avendo ancora patchato il server, e probabilmente non lo faranno mai finchè 
non gira un po' la voce, vi prego di avvertire l'utenza di tenere gli occhi 
aperti quando acquistano voli dalle seguenti compagnie:


*Aero, Jet2.com, Air southwest, manx2, airsea, republicaairways,
blu-express, highland airways, blueisland, tobagoexpress, evolavia,
zambian, menajet.com, snowflake, airwales and other that is can be easy
found by searching 'sutra' on google.


*

sopratutto Blu-Express, tanto pubblicizzata in questi ultimi giorni per le 
nuove tratte adottate.


Per maggiori informazioni o per la dimostrazione della vuln sono a vostra 
disposizione.

Saluti
skien.



> In the last week I've found a XSS vuln into the Sutra's Airkiosk
> application for the realtime distribution of flights/booking and
> check-in interface (www.airkiosk.com).
>
> The XSS is possible because they are using a VULN/OLD formlib.pl in
> their application that permits to execute any JavaScript you like:
>
>             &HtmlError("formlib.parse", "bjelli", "Error parsing $_, 
> aborting.\n");
>
> if you get the error 'f you need help, call bjelli.'.
>
>
> I suppose it can be related to this flying companies (I've only tryed it
> on Blu-express, and Jet2.com):
>
> Aero, Jet2.com, Air southwest, manx2, airsea, republicaairways,
> blu-express, highland airways, blueisland, tobagoexpress, evolavia,
> zambian, menajet.com, snowflake, airwales and other that is can be easy
> found by searching 'sutra' on google.
>
>
>
> Attackers can use a browser to exploit this issue.
>
> The following proof-of-concept URI is available:
>
> http://www.example.com/cgi-bin/airkiosk/I7/!!! ! ! CUTTEDOUT!!! !! 
> ?K=&<SCRIPT>alert(document.cookie)</SCRIPT>
>
>
> The maintainer (and the flying company blu-express) has been contacted
> twice via mail in the last two weeks but choose not to respond at all.
>
> Regards
> Skien

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Rispondere a