-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear CNN, I recently discovered a security vulnerability on the www.cnn.com website. I believe the vulnerability can be used by a remote user to alter content on www.cnn.com. On 10 Nov 2008, I wrote to four email address at cnn.com and turner.com. Unfortunately, none of the email address responded -- two of the addresses bounced. I have no alternative except to go public. The vulnerability is due to a failure to properly taint parameters passed to the server. The parameters can be used to pass in server-side scripting code. Bad CNN. No cookie for you! The US edition of CNN has a service under "CNN.com Extras" called "My recently viewed pages" (scroll down the main page, it is on the right). Clicking on it shows the last 10 CNN.com pages you visited. I originally looked at this because I wanted to see if there were any privacy issues. There are none, except for a big server-side exploit. The tracking is done in a cookie variable for "www.cnn.com" called "js_memberservices.mrv". It is set whenever you click on an article (so click on an article first, then click the back button to go back to the main page). The cookie value is a URI-encoded string. For example: %7Bvalue%3A%22Bond%2C%20fangs%2C%20dogs%20and%20DiCaprio%3A%20Holida y% 20movies%20roll%20out%20- %20CNN.com%7Chttp%3A//www.cnn.com/2008/SHOWBI Z/Movies/11/17/holiday.movies/index.html%7C%7CCommentary%3A%20Can%20 Mc Cain%20be%20Obama%27s%20friend%20in%20Congress%3F%20- %20CNN.com%7Chttp %3A//www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index.html%22%2C ex pireDate%3A1234567891011%7D This decodes as: {value:"Bond, fangs, dogs and DiCaprio: Holiday movies roll out - CNN.com|http://www.cnn.com/2008/SHOWBIZ/Movies/11/17/holiday.movies/ in dex.html||Commentary: Can McCain be Obama's friend in Congress? - CNN.com|http://www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index. ht ml",expireDate:1234567891011} Vertical bars are used to separate fields and two of them separate records. Most of the URI-encoding is not essential. Each record has two items: A text title that is displayed in "My recently viewed pages". A URL for the hyperlink. Neither of these values appear to be filtered. HTML tags, Javascript, and quotes are all permitted. Normally this would be a client-side self-imposed attack. Anything you put in your cookie comes back to you. Unless you have an exploit to edit another domain's cookie, this is harmless since you only hack yourself. However... server-side scripting also appears to work. And if the double quotes are not properly matched, then the query fails (meaning that they are not properly quoting the variable on the server side). The potential exploits range from posting false news stories to totally p0wning www.cnn.com. Too bad CNN decided not to reply and forced this to go public. PS. Hey CNN! Don't forget to also fix the "js_user_topics" cookie! - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFJIcUO/SGqjFZqH0kRAmhjAKCKb/LWAAln6alZ073SYrwHAPgwUwCgjP8m kpn5L0pthvJfJEbIq/1Z5UM= =TTRW - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkkh0B4ACgkQ/Ikpqp7FIXcD0wQAy3weU+qdsCP/GLFiy/OHGW4TkM8t 85mPhpBMEVlEz9KVSLW5JxVFWDnmk5VDqhPBHLa82TscjYABU8g/brxFgQTjnBcpJbe0 keuAK1eh2WSXyAFuc6FC937PE4SaXcDni1Yx7860Ekxd75at3p83rDacM9nUtu/av1QB tinn1fY= =4bXY -----END PGP SIGNATURE----- -- Free information on becoming a Graphic Designer. Click Now! http://tagline.hushmail.com/fc/PnY6qxunKh4BH7RfuD0I4MwJpvLmcWHMb8ZZnO5qQPBlqnOOefPB2/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/