Cross-Site Scripting - an industry-wide problem
===============================================

In early december i started a series of tests to find Cross-Site Scripting 
(XSS) vulnerabilities. It quickly turned out that the majority of all major 
websites suffer some kind of XSS. This is a disclosure of 175 
vulnerabilities at once. Enjoy the ride...

Test scenario
=============

A site was considered affected if it is possible to inject a javascript into 
the output page by making a browser GET or POST request to the webserver. As 
a proof-of-concept the script "alert(document.cookie)" got used.

All tests were made on a fully patched WinXP SP2 machine and Internet 
Explorer 6. Most of the proof-of-concept links in this report will not work 
using another browser, mainly because in many cases i used javascript in 
styles which isn't supported by browsers like Firefox and because Firefox 
automaticly applies character encoding to a URL. I was just too lazy to test 
each issue cross-browser, so this doesn't mean automaticly that Internet 
Explorer is more vulnerable to XSS.

Impact
======

In many cases XSS is reduced to the attack of stealing session cookies, but 
XSS can be used to do a lot more things. Using DOM manipulation you can 
change the target of a login form or fake one, change download links or 
simply insert your own content into a website. As part of mass-mailings this 
can be used for login data phishing, spreading of malware or distribution of 
false news that seem to come from a trustworthy source (which is an 
intresting option for daytraders on penny stocks for example).

Don't forget that the injected script is running in the security context of 
the affected site. If you know who you are attacking and that the victim has 
the affected site in a special trusted zone it can be possible to execute 
"not safe for scripting" ActiveX controls - giving you more or less total 
control. In intranets and for extranet web applications this is a not so 
uncommon configuration.

For sure XSS is nothing compared to a remote buffer overflow. But only 
because this "worst case scenario" is happening quite often these days, it 
does not mean XSS is not a security issue. XSS flaws are easy to find and 
spammers are always searching for new stuff.

Finally for some sites on the list dedicated to security a XSS flaw is just 
an embarrassing thing ;)

Affected sites
==============

This list is reduced to the second-level domain for readability and posting 
size. This isn't always fair since sometimes a sub-domain is indepentend 
from the SLD. Please download the complete list of proof-of-concept links 
from http://www.mikx.de/xss.php.

All webmasters were informed by an email and/or their website feedback forms 
during december, to give them a fair chance to react. Some of them replied 
really quick and patched the issue in a few hours, others (sadly a lot) 
never replied. If you are responsible for one of the affected sites and you 
have not been informed or are not able to reproduce the issue, please don't 
hesitate to contact me.

The sites in the tests were picked at random from international and german 
major websites and/or sites related to security/computers. I just tested 
what came to my head - so there is no "hidden message":

about.com, activestate.com, adobe.com, altavista.com, amazon.com, amd.com, 
annoyances.org, aol.com, apache.org, apple.com , archive.org, arcor.de, 
ask.com, ati.com, bahn.de, bitdefender.de, blizzard.com, blogdex.net, 
blogger.com, bloogz.com, ca.com, ccc.de, cdu.de, chip.de, ciao.de, cert.org, 
chillingeffects.org, cnn.com, comdirect.de, consors.de, csialliance.org, 
csu.de, dell.com, daypop.com, divx.com, dooyoo.de, doubleclick.com, 
download.com, easycredit.de, ebay.com, etrade.com, evite.com, excite.com, 
fedex.com, fimatex.de, flexwiki.com, fool.com, free-av.de, freshmeat.net, 
fsf.org, fujitsu.com, gamestar.de, gm.com, gmx.net, gnu.org, go.com, 
golem.de, google.com, groupee.com, gruene-partei.de, guenstiger.de, 
heise.de, hosting.com, hp.com, ibm.com, icq.com, idealo.de, imagemagick.org, 
infineon.com, informationsecurityireland.com, infospace.com, intel.com, 
itaa.org, izb.de, jamba.de , juno.com, kde.org, kelkoo.de, kerio.com, 
liberale.de, linspire.com, looksmart.com, lufthansa.com, lycos.com, 
macromedia.com, mandrakesoft.com, mayflower.de, mcafee.com, meetup.com, 
messagelabs.com, metacrawler.com, metadot.com, microsoft.com, mlb.com, 
mnogosearch.org, modblog.com, modssl.org, mozilla.org, mozillazine.org, 
msdn.com, msn.com, msnbc.com, nasa.gov, nationalgeographic.com, nba.com, 
netiq.com, nfl.com, netflix.com, netscape.com, nokia.com, novell.com, 
nytimes.com, onlinekosten.de, opencores.org, openssl.org, opera.com, 
oracle.com, paypal.com, pc-magazin.de, pcpowerplay.de, pcwelt.de, 
phpcenter.de, pmwiki.org, privacy.org, pro7.de, ptb.de, postgresql.org, 
quoka.de, reactos.com, real.com, redhat.com, redvsblue.com, riaa.com, 
rtl.de, ryanair.com, sans.org, sbroker.de, securityfocus.com, 
securityspace.com, shutterfly.com, slashdot.org, snocap.com, sony.com, 
sourceforge.net, sparkasse.de, spd.de, spreadfirefox.com, squid-cache.org, 
sqlite.org, staysafeonline.com, stern.de, strato.de, sun.com, suse.de, 
technorati.com, telekombusiness.de, theonion.com, tiscali.com, 
tomshardware.com, uci.edu , ups.com , upside.de, us-cert.gov, validome.org, 
varbusiness.com, vasoftware.com, viruslist.com, w3.org, web.de, 
worldofwarcraft.com, wsj.com, xoom.com, yahoo.com, yopi.de, zonelabs.com

References
==========

It turned out that in some cases third party software used on the websites 
are suffering a bug. Here the Common Vulnerabilities and Exposures 
(cve.mitre.org) names:

CAN-2004-1059 mnogosearch (as used at www.redhat.com)
CAN-2004-1061 bugzilla (as used at bugzilla.mozilla.org bug #272620)
CAN-2004-1062 viewcvs (as used at cvs.apache.org)
CAN-2004-1146 cvstrac (as used at cvs.openssl.org)

http://www.slashcode.com/article.pl?sid=04/12/15/1540200
http://www.mnogosearch.com/winhistory.html

Credits
=======

I woud like to thank a few people for helping me out through the tests and 
working on fixing the issues as quickly as possible:

Christoph "Locke" Wehrmann (for making me addicted to XSS)
Mark J Cox (Red Hat Security Response Team)
Daniel Bachfeld (heisec)
Jamie McCarthy and Chris Nandor (slashcode)
Alexander Barkov (mnogosearch)
Microsoft Security Response Center
Google Security Team
Bugzilla Team
Everybody who responded to my report mail :)

Contact
=======

Michael Krax <mikx@mikx.de>
http://www.mikx.de/


Happy Holidays!
mikx