*Webs ID Reflected XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: Webs ID /login.jsp &error Parameter Reflected XSS (Cross-site Scripting) Security Vulnerabilities Vendor: Webs, Inc Product: Webs ID Vulnerable Versions: Tested Version: Advisory Publication: April 02, 2015 Latest Update: April 02, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Proposition Details:* *(1) Vendor & Product Description:* *Vendor:* Webs, Inc *Product & Vulnerable Versions:* Webs ID *Vendor URL & download:* Webs ID can be obtained from here, http://www.webs.com http://www.webs.com/blog/2010/04/20/new-easier-way-to-manage-websid-account-settings/ *Terms of Service Overview:* " The services offered by Webs, Inc. ("Webs" or "us" or "we" or "our") include the websites at http://www.webs.com and http://www.freewebs.com as well as any other related websites, toolbars, widgets, or other distribution channels we may, from time to time, operate (collectively, "Webs.com") and any other features, content, services or applications offered, from time to time, by us (collectively, the "Services"). This agreement (the "Terms of Service" or "Agreement") sets forth legally binding terms for your use of the Services. By using the Services, you agree to be bound by these Terms of Service, whether you are a "Website Creator" (which means that you have registered to utilize our tools to build a website ("Website")), a "Member" (which means that you have registered on one of the Webs.com hosted Websites), a "Visitor" (which means that you are visiting Webs.com or any hosted Website), or an "Application Developer" (which means that you have been approved to build or deploy your application or anything else that receives data (an "Application") on Webs.com). The term "User" refers to a Visitor or a Member or a Website Creator. By browsing or registering with, creating or using any Website, Application or Service on Webs.com you are agreeing to these Terms of Service, and these Terms of Service along with any other guidelines we may post from time to time, such as our Privacy Policy and Application Developer Terms (collectively, the "Guidelines") will govern your use of the Services. If you do not agree to these Terms of Service or any of the Guidelines, you must cease use of the Services." "You represent that you are fully able and competent to enter into the terms, conditions, obligations, representations and warranties set forth in these Terms of Service. If you are using or creating a Website or Application on or through Webs.com as a representative of a company or legal entity, (i) you represent that you have the authority to enter into this Agreement on behalf of that company or entity, and (ii) you agree that the terms "you" and "your" in this Agreement refers to your company or legal entity. " *(2) Vulnerability Details:* Webs ID web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several other Webs ID products 0-day vulnerabilities have been found by some other bug hunter researchers before. Webs has patched some of them. Gmane (pronounced "mane") is an e-mail to news gateway. It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list's inclusion on the service. It has published suggestions, advisories, solutions related to XSS vulnerabilities. *(2.1) *The first code programming flaw occurs atoccurs at "/login.jsp?" page with "&error" parameter. *References:* http://www.tetraph.com/security/xss-vulnerability/webs-id-reflected-xss/ http://securityrelated.blogspot.com/2015/04/webs-id-reflected-xss-cross-site.html http://www.inzeed.com/kaleidoscope/computer-web-security/webs-id-reflected-xss/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webs-id-reflected-xss/ https://computerpitch.wordpress.com/2015/04/15/webs-id-reflected-xss/ http://www.irist.ir/author-Wang%20Jing.html http://exploitarchive.com/webshop-hun-1-062s-cross-site-scripting/ http://lists.openwall.net/full-disclosure/2015/02/03/2 http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1821 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing