The Dangers of Cross-Site-Scripting: Rogers Hi-Speed Internet Network [Canada]

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: The Dangers of Cross-Site-Scripting: Rogers Hi-Speed Internet Network [Canada]
From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
Date: Thu, 27 May 2004 17:07:14 -0000
Cc: <NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: 1@xxxxxxxxxxx


Wednesday, May 26, 2004

Many people dismiss the dangers of cross site scripting as 
nothing more than 'parlor tricks'. This is not a good idea. As 
previously indicated:

[see: http://www.securityfocus.com/archive/1/348363]

when the right circumstance arises, this puny 'parlor trick' can 
prove quite devastating. The following practical example 
demonstrates this:

The Rogers Hi-Speed Internet Network of Canada
[http://www.rogers.com/] via cable modem appears to have a 
fairly long history in the industry and some impressive numbers 
if they can be deciphered: 

"Rogers Cable passes 3.2 million homes in Ontario, New Brunswick 
and Newfoundland, with 70% basic penetration of its homes 
passed. Rogers Cable pioneered high-speed Internet access with 
the first commercial launch in North America in 1995 and now 
approximately 26%of homes passed are Internet customers"

For whatever odd reason it maintains a so-called "Hi-Speed" 
content portal conveniently located in the time-tested Internet 
Explorer security setting: 'intranet zone':


http://www/custom.jsp

draws the following:

[screen shot: http://www.malware.com/ro-geez.png 10KB]

Traversing the so-called "Hi-Speed" content portal reveals 
sufficient content operational in the 'intranet zone' throughout 
the majority of the site generalously laden with numerous cross-
site scripting points of entry. Quick checking of the server 
[Server: Resin/2.1.9] confirms that these 'parlor trick' errors 
are well documented with the indicated apparatus.

Internet:

http://hispeed.rogers.com/custom.jsp
http://hispeed.rogers.com/sports/nfl/team/report.jsp?
t=""><iframe%20src=http://www.microsoft.com/>

Intranet:

http:/www/
http://www/custom.jsp
http://www/sports/mlb/team/report.jsp?l=";><script></script>

The 'intranet zone' is a step down  from the 'internet zone' and 
only one  above our old friend the 'local zone':

[screen shot: http://www.malware.com/ro-geez.png 10KB]

Operations in this particular zone include:

- remote access to local files and folders via frames including 
local resource files etc
- the old ADODB.Stream initializing with prompt instead of     
failing
-  many other past injection possibilities as well as any new 
ones to be discovered in the future

Hammer this all together and if the aforementioned numbers are 
accurate we have a whole lot of networked users ripe for the 
plucking.

This is all the result of a poorly constructed website, a poorly 
configured network and a ridiculously 'intuitive' thing for a 
web browser so tightly woven to the operating system,  
so 'clever' as to set up these zone things by itself that simply 
viewing  a web page will install and run your malware without 
you having to do anything.

Notes:

1. Get rid of the browser once and for all
2. Contact to both corp security and generic security as well as 
generic abuse and corp abuse at this particular network yields 
nothing. A canned bounce to go and fill in some 'web form' on 
their riddled-with-holes site.
3. Other fancy 'networks' like this may want to check their 
configurations


End Call


-- 
http://www.malware.com

Prev by Date: Re: [ GLSA 200405-18 ] Buffer Overflow in Firebird
Next by Date: Re: Microsoft Internet Explorer ImageMap URL Spoof Vulnerability
Previous by thread: [CLA-2004:843] Conectiva Security Announcement - kde
Next by thread: Sun-Java-App-Server PE 8.0 path disclosure
Index(es):
- Date
- Thread