Background -------------- Netto is a supermarket chain based in denmark with stores in Denmark, Poland, Germany and Sweden. The following vulnerability affects the swedish branch site although similar ones may affect others. Vulnerability -------------- The vulnerability is present on the netto.se website redirector in http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect= the redirector will basically take anything except an space placed on the redirect field and put it as is in the src attribute of the frame field. This allows for different ways of attack including redirection to external sites and javascript injection through the onload parameter. Reasons for disclosure --------------------------- The administrator of the site was contacted but didn't answer. Since the deadline passed this disclosure is now for public release. Also since this exploit could be abused to phish user information through fake promotional mails I decided to disclose it. Example ---------- This properly crafted URL should fool IE browsers too (although I can't ensure that) by reredirecting the user to the same redirector. It includes both a external site redirection (to willy:s one of netto's rivals) and a simple arbitrary javascript injection. http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=http://willys.se"onload="alert(unescape('My%252520security%252520sucks'));"></frameset><!-- Gratz ------- Gratz and salutations go to: Jupiter at DDTek, the Gentoo Hardened team the PaX team, spender, Dan Rosenberg and of course my CTF team mates at littlenuns