============================================
ON-LINE BANK MULTIPLE Cross Site Scripting

=============================================

TIME-LINE VULNERABILITY

28-5-2013 Security Advisory
29-5-2013 Vendor feedback
03-6-2013  I ask about the flaws status
04-6 -2013 Vendor Response
07-6-2013  I ask about the issues
No response
10-6-2013  I ask about the flaws No response
11-6-2013 Full Disclosure


I. VULNERABILITY
-------------------------
#Title: ON-LINE BANK MULTIPLE Cross Site Scripting
#Vendor:http://www.selfbank.es
#Author:Juan Carlos García (@secnight)
#Follow me 
 http://www.highsec.es
 http://hackingmadrid.blogspot.com
 http://blogs.0verl0ad.com
Twitter:@secnight
Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn

II. DESCRIPTION
-------------------------

Selfbank(selfbank.es) is an online bank that currently has multipleCross site scripting (also referred to as XSS).

It is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user.
because a browser cannot know if the script should be trusted or not,
it will execute the script in the user context allowing
the attacker to access any cookies or session tokens retained 
by the browser. 

III. PROOF OF CONCEPT
-------------------------

Affected items

/infomercados/analisis_fundamental/consenso/internacional.phtml 

http://www.selfbank.es/infomercados/analisis_fundamental/consenso/internacional.phtml?%22onmouseover=prompt(916548)%3E


/infomercados/cotizaciones/bolsa_internacional.phtml 

http://www.selfbank.es/infomercados/cotizaciones/bolsa_internacional.phtml/936678%22';994550


/infomercados/cotizaciones/bolsa_nacional.phtml


http://www.selfbank.es/infomercados/cotizaciones/bolsa_nacional.phtml/912311%22';910296 

IV. BUSINESS IMPACT
-------------------------

In a on-line bank, these failures are seriousMalicious users may inject JavaScript, VBScript, ActiveX,
HTML or Flash into a vulnerable application to fool a user in order to gather data from them. 

An attacker can steal the session cookie and take over the account, impersonating the user. 

It is also possible to modify the content of the page presented to the user. 


V SOLUTION
------------------------

Very easy and I don´t understand...  filter metacharacters from user input.PLEASE !!


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.

VIII. FOLLOW ME
-------------------------
You can follow me (@secnight)

http://www.highsec.es
http://hackingmadrid.blogspot.com
http://blogs.0verl0ad.com
Twitter:@secnight
Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn