exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cnn-xss.txt

cnn-xss.txt
Posted Nov 18, 2008
Authored by anonymous

CNN.com suffers from cross site scripting and content modification vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | bfcc8419314c5c245c68d63bc8934b0444d1a4f928f37fd95e5471fb4182bb80

cnn-xss.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear CNN,

I recently discovered a security vulnerability on the www.cnn.com
website. I believe the vulnerability can be used by a remote user
to
alter content on www.cnn.com.

On 10 Nov 2008, I wrote to four email address at cnn.com and
turner.com. Unfortunately, none of the email address responded --
two
of the addresses bounced. I have no alternative except to go public.

The vulnerability is due to a failure to properly taint parameters
passed to the server. The parameters can be used to pass in
server-side scripting code.

Bad CNN. No cookie for you!

The US edition of CNN has a service under "CNN.com Extras" called
"My
recently viewed pages" (scroll down the main page, it is on the
right). Clicking on it shows the last 10 CNN.com pages you visited.

I originally looked at this because I wanted to see if there were
any
privacy issues. There are none, except for a big server-side
exploit.

The tracking is done in a cookie variable for "www.cnn.com" called
"js_memberservices.mrv". It is set whenever you click on an article
(so click on an article first, then click the back button to go
back
to the main page). The cookie value is a URI-encoded string. For
example:

%7Bvalue%3A%22Bond%2C%20fangs%2C%20dogs%20and%20DiCaprio%3A%20Holida
y%
20movies%20roll%20out%20-
%20CNN.com%7Chttp%3A//www.cnn.com/2008/SHOWBI
Z/Movies/11/17/holiday.movies/index.html%7C%7CCommentary%3A%20Can%20
Mc
Cain%20be%20Obama%27s%20friend%20in%20Congress%3F%20-
%20CNN.com%7Chttp
%3A//www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index.html%22%2C
ex
pireDate%3A1234567891011%7D

This decodes as:
{value:"Bond, fangs, dogs and DiCaprio: Holiday movies roll out -
CNN.com|http://www.cnn.com/2008/SHOWBIZ/Movies/11/17/holiday.movies/
in
dex.html||Commentary: Can McCain be Obama's friend in Congress? -
CNN.com|http://www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index.
ht
ml",expireDate:1234567891011}

Vertical bars are used to separate fields and two of them separate
records. Most of the URI-encoding is not essential.

Each record has two items:
A text title that is displayed in "My recently viewed pages".
A URL for the hyperlink.

Neither of these values appear to be filtered.
HTML tags, Javascript, and quotes are all permitted.

Normally this would be a client-side self-imposed attack. Anything
you put in your cookie comes back to you. Unless you have an
exploit
to edit another domain's cookie, this is harmless since you only
hack
yourself.

However... server-side scripting also appears to work. And if the
double quotes are not properly matched, then the query fails
(meaning
that they are not properly quoting the variable on the server side).

The potential exploits range from posting false news stories to
totally p0wning www.cnn.com.

Too bad CNN decided not to reply and forced this to go public.

PS. Hey CNN! Don't forget to also fix the "js_user_topics" cookie!

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFJIcUO/SGqjFZqH0kRAmhjAKCKb/LWAAln6alZ073SYrwHAPgwUwCgjP8m
kpn5L0pthvJfJEbIq/1Z5UM=
=TTRW
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkkh0B4ACgkQ/Ikpqp7FIXcD0wQAy3weU+qdsCP/GLFiy/OHGW4TkM8t
85mPhpBMEVlEz9KVSLW5JxVFWDnmk5VDqhPBHLa82TscjYABU8g/brxFgQTjnBcpJbe0
keuAK1eh2WSXyAFuc6FC937PE4SaXcDni1Yx7860Ekxd75at3p83rDacM9nUtu/av1QB
tinn1fY=
=4bXY
-----END PGP SIGNATURE-----

--
Free information on becoming a Graphic Designer. Click Now!
http://tagline.hushmail.com/fc/PnY6qxunKh4BH7RfuD0I4MwJpvLmcWHMb8ZZnO5qQPBlqnOOefPB2/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close