|Sentinel Chicken Networks|
Sentinel Chicken Networks Security Advisory #02
Prospero¤ Message Boards Cross-Site Scripting VulnerabilityDate: Feb 10, 2002
Websites: www.wto.org, www.aarp.org, www.csmonitor.com, www.about.com, and many others listed on:
Vendor was contacted about this problem on Jan 13, 2002.
Vendor agreed there was a problem and attempted a fix, which is not complete.
Product DescriptionProspero MessageBoards¤ is a web application for holding forums and chat boards on just about any topic. More information is available on Prospero's website¤.
There are a variety of things that can be acheived by such an attack, not all of which will be presented in this advisory. One possible scenario would be the MessageBoard account theft of the user viewing the page.
An example of a script that could be posted:
<b <input type="button" value="Cookie for you"onClick="alert(document.cookie)" >CLICK HERE FOR IMPORTANT DOCUMENT> </b>Also, a sample message which demonstrates this can be found at:
Possibly a more serious problem lies in the way these message boards allow such an attack to reach so many users through an anonymous website. Given the recent vulnerabilities in Microsoft¤ Internet Explorer¤, and other browsers, an attacker could potentially post a message which steals much more than just cookies. Other types of widespread attacks are left up to the reader's imagination.
In addition to this problem, it was also noticed that after creating an account on www.wto.org, access was granted as that same user on www.staples.com. While the value of seperate user namespaces for each site run by Prospero¤ may be small, but the fact that users are thrown in to the same pool is a very bad security practice and should be noted by the vendor.
¤ Names, marks, products, and gadgets listed in this advisory are owned by their respective, paranoid, companies.
This advisory is intended for educational use only. The author(s) will not take responsibility for the consequences of it's dissemination.
Content on this page, unless otherwise indicated, is © 2002-2010 Sentinel Chicken Networks.
Reproduction is authorized under our terms.
Also available in IPv6.