Your Ad Here

Tuesday, November 18, 2008

CNN.com Cross-Site Scripting Vulnerability

CNN.com Cross-Site Scripting Vulnerability

I love CNN, so I am not hating on them at all…

Just an FYI - I would probably refrain from browsing CNN for the meantime and definitely don't click on any articles within the My Recently Viewed Pages due to a cross site scripting vulnerability...

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. (wikipedia.com)


Version Summary:

A cross-site scripting vulnerability exists on CNN.com that could potentially allow unauthenticated, remote attackers to modify content on the website, which could lead to further attacks.

_______________________________________________________________________________________________________________________________________
Description

_______________________________________________________________________________________________________________________________________

CNN.com is susceptible to a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary server-side scripting code.

The vulnerability exists due to an input validation error on certain parameters passed to the server. Attackers could inject arbitrary server-side scripting code into these parameters to perform the attack. The flaw specifically exists within the tracking cookie in the js_memberservices.mrv variable, which is set whenever the user clicks on an article within the My Recently Viewed Pages section. The cookie values are stored in a URI-encoded string, which is not properly filtered. The values accept arbitrary HTML, JavaScript, and double quotes, which allows the attacker to inject server-side scripting code.

While there have been no reported attacks, an exploit could potentially allow the attacker to modify content on CNN.com, such as posting false news stories or performing drive-by download attacks. Attackers could leverage this flaw to aid in spamming and phishing type attacks using CNN.com.

Administrators are advised to review the Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors.

No comments: