|
<--start-->
Following the advisory of the XSS vulnerability found on Libero.it (italian ISP) portal,
and after the "official" response given by the portal owners which stated that in no way user accounts would be at risk,
several other XSS vulns have been found on Libero.it/Infostrada.it portals (both are from the same provider, different names for historical reasons).
The current post has the only aim to demonstrate that the previous vulns are not occasional and a hardening in Libero/infostrada portals application security is really urgent
is required in order to preserve and protect users privacy.
First Vulnerability
------------------
This PoC widely demonstrate how an attacker can use another XSS vuln + a lack of access control on private Libero.it Community
pages for organize a phishing attack.
Step 1. On the community pages is possible, for Libero users to create a personal blog;
this blog can be administred through some admin private pages while the published blog pages are fro public use.
The page:
http://blog.libero.it/XSS/aux_messaggio.php?
is a private admin page used to alert for possible errors encoutered during the publication of a blog page.
The page is XSS vulnerable:
http://blog.libero.it/XSS/aux_messaggio.php?msg=
Step 2. The attacker sends a link to the victim (e.g. inviting him to have a look at a content of his personal community space).
The link is so made:
http://blog.libero.it/XSS/login.php?rest=1&loginbox=login_riservato&from=http%3A%2F%2Fblog.libero.it%2FXSS%2Faux_messaggio.php%3Fmsg%3D%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26nocache%3D1175124994
this links uses a second vuln of the portal that lacks of access control to private pages (a normal user should not can access to an admin page of my blog) to redirect the user to the XSS page.
Step 3. The javascript embedded in the URL:
- reads the cookie of the user
- sends it to the attacker phishing site
- redirect the request to the phishin site
Step 4. The phishing site present the Libero login form, pretending the password typed is not correct.
As the redirect comes from a REAL Libero,it AUTH page the secnario is extremely realistic.....
Second Vunerability
-----------------------
Same XSS problems are present in www.infostrada.it servers, with a
serious XSS vulnerability exploitable in a page used for subscribe to
the service:
http://www.matteoflora.com