citibankXSS.txt

2005-08-17T00:00:00
ID PACKETSTORM:39406
Type packetstorm
Reporter Andrew Smith
Modified 2005-08-17T00:00:00

Description

                                        
                                            `------=_Part_8324_496004.1123943920825  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
Hi Full-Disclosure,  
I'm here to report an XSS vulnerability in one of Citibank's websites.  
I actually found this at a log in screen, but it's on an obscure sub domain=  
=20  
so I don't beleive that much cookie stealing can be done from it.  
Phishing, however, oh good lord yes. The phishing possbilities for this XSS=  
=20  
vulnerability are immense (did I mention the site was SSL'd?).  
  
Anyway, I informed citibank through e-mail (no response), posted it on my=  
=20  
blog (no response, no fix..) and now I'll post it here.  
I've had luck on FD in contacting BankOfAmerica employees in the past, so=  
=20  
maybe there are a few Citibank admins listening? Let's hope so.  
  
Here's the URL:  
  
https://cukehb4.cd.citibank.co.uk/CappWebApp/capp/action/lang.do?languageco=  
de=3D1&countrycode=3D<HTML  
GOES HERE>&servicecode=3Dsignon&TS=3D1119807930296  
  
And here's an outline (+screenshot) for if/when they fix it:  
  
http://wheresthebeef.co.uk/show.php/xss/citibank.co.uk.html  
  
------=_Part_8324_496004.1123943920825  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
Hi Full-Disclosure,<br>  
I'm here to report an XSS vulnerability in one of Citibank's websites.<br>  
I actually found this at a log in screen, but it's on an obscure sub  
domain so I don't beleive that much cookie stealing can be done from it.<br=  
>  
Phishing, however, oh good lord yes. The phishing possbilities for this  
XSS vulnerability are immense (did I mention the site was SSL'd?).<br>  
<br>  
Anyway, I informed citibank through e-mail (no response), posted it on  
my blog (no response, no fix..) and now I'll post it here.<br>  
I've had luck on FD in contacting BankOfAmerica employees in the past,  
so maybe there are a few Citibank admins listening? Let's hope so.<br>  
<br>  
Here's the URL:<br>  
<br>  
<a href=3D"https://cukehb4.cd.citibank.co.uk/CappWebApp/capp/action/lang.do=  
?languagecode=3D1&countrycode=3D">https://cukehb4.cd.citibank.co.uk/Cap=  
pWebApp/capp/action/lang.do?languagecode=3D1&countrycode=3D</a><span st=  
yle=3D"font-weight: bold;">  
<HTML GOES HERE></span>&servicecode=3Dsignon&TS=3D11198079302=  
96<br>  
<br>  
And here's an outline (+screenshot) for if/when they fix it:<br>  
<br>  
<a href=3D"http://wheresthebeef.co.uk/show.php/xss/citibank.co.uk.html">htt=  
p://wheresthebeef.co.uk/show.php/xss/citibank.co.uk.html</a><br>  
<br>  
<br>  
  
------=_Part_8324_496004.1123943920825--  
`