Webs ID Cross Site Scripting

`*Webs ID Reflected XSS (Cross-site Scripting) Security Vulnerabilities*  
  
  
Exploit Title: Webs ID /login.jsp &error Parameter Reflected XSS  
(Cross-site Scripting) Security Vulnerabilities  
Vendor: Webs, Inc  
Product: Webs ID  
Vulnerable Versions:  
Tested Version:  
Advisory Publication: April 02, 2015  
Latest Update: April 02, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: *  
Impact CVSS Severity (version 2.0):  
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)  
Impact Subscore: 2.9  
Exploitability Subscore: 8.6  
Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological  
University (NTU), Singapore]  
  
  
  
  
  
  
  
*Proposition Details:*  
  
  
*(1) Vendor & Product Description:*  
  
  
*Vendor:*  
Webs, Inc  
  
  
  
*Product & Vulnerable Versions:*  
Webs ID  
  
  
  
*Vendor URL & download:*  
Webs ID can be obtained from here,  
http://www.webs.com  
http://www.webs.com/blog/2010/04/20/new-easier-way-to-manage-websid-account-settings/  
  
  
  
*Terms of Service Overview:*  
" The services offered by Webs, Inc. ("Webs" or "us" or "we" or "our")  
include the websites at http://www.webs.com and http://www.freewebs.com as  
well as any other related websites, toolbars, widgets, or other  
distribution channels we may, from time to time, operate (collectively,  
"Webs.com") and any other features, content, services or applications  
offered, from time to time, by us (collectively, the "Services"). This  
agreement (the "Terms of Service" or "Agreement") sets forth legally  
binding terms for your use of the Services. By using the Services, you  
agree to be bound by these Terms of Service, whether you are a "Website  
Creator" (which means that you have registered to utilize our tools to  
build a website ("Website")), a "Member" (which means that you have  
registered on one of the Webs.com hosted Websites), a "Visitor" (which  
means that you are visiting Webs.com or any hosted Website), or an  
"Application Developer" (which means that you have been approved to build  
or deploy your application or anything else that receives data (an  
"Application") on Webs.com). The term "User" refers to a Visitor or a  
Member or a Website Creator. By browsing or registering with, creating or  
using any Website, Application or Service on Webs.com you are agreeing to  
these Terms of Service, and these Terms of Service along with any other  
guidelines we may post from time to time, such as our Privacy Policy and  
Application Developer Terms (collectively, the "Guidelines") will govern  
your use of the Services. If you do not agree to these Terms of Service or  
any of the Guidelines, you must cease use of the Services."  
  
"You represent that you are fully able and competent to enter into the  
terms, conditions, obligations, representations and warranties set forth in  
these Terms of Service. If you are using or creating a Website or  
Application on or through Webs.com as a representative of a company or  
legal entity, (i) you represent that you have the authority to enter into  
this Agreement on behalf of that company or entity, and (ii) you agree that  
the terms "you" and "your" in this Agreement refers to your company or  
legal entity. "  
  
  
  
  
*(2) Vulnerability Details:*  
Webs ID web application has a security bug problem. It can be exploited by  
XSS attacks. This may allow a remote attacker to create a specially crafted  
request that would execute arbitrary script code in a user's browser  
session within the trust relationship between their browser and the server.  
  
Several other Webs ID products 0-day vulnerabilities have been found by  
some other bug hunter researchers before. Webs has patched some of them.  
Gmane (pronounced "mane") is an e-mail to news gateway. It allows users to  
access electronic mailing lists as if they were Usenet newsgroups, and also  
through a variety of web interfaces. Gmane is an archive; it never expires  
messages (unless explicitly requested by users). Gmane also supports  
importing list postings made prior to a list's inclusion on the service. It  
has published suggestions, advisories, solutions related to XSS  
vulnerabilities.  
  
  
*(2.1) *The first code programming flaw occurs atoccurs at "/login.jsp?"  
page with "&error" parameter.  
  
  
  
  
  
*References:*  
http://www.tetraph.com/security/xss-vulnerability/webs-id-reflected-xss/  
http://securityrelated.blogspot.com/2015/04/webs-id-reflected-xss-cross-site.html  
http://www.inzeed.com/kaleidoscope/computer-web-security/webs-id-reflected-xss/  
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webs-id-reflected-xss/  
https://computerpitch.wordpress.com/2015/04/15/webs-id-reflected-xss/  
http://www.irist.ir/author-Wang%20Jing.html  
http://exploitarchive.com/webshop-hun-1-062s-cross-site-scripting/  
http://lists.openwall.net/full-disclosure/2015/02/03/2  
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1821  
  
  
  
  
--  
Wang Jing,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
https://twitter.com/justqdjing  
  
  
`