`-- A quick note before the advisory --
During my conversation(s) with the Commonwealth Bank 'Group IT Security'
department, they have promised to undertake a full audit of the NetBank,
CBA website and other existing pages in an effort to stamp out all
Cross-Site-Scripting (XSS) vulnerabilities in their web applications.
This is a very positive step in the direction of completely securing the
Commonwealth Bank's web applications. Big congratulations go to Stephen
and Chris from the CBA's security team for initiating a quick response, as
well as a concerted effort for the future security of the bank.
-- Advisory follows --
--------------- 05/09/2005 ---------------
-- Fribble Technologies --
-- Security Advisory --
-- FOR IMMEDIATE PUBLIC RELEASE --
---------------TIMELINE-------------------
-- Discovered: 05/09/2005 --
-- Reported: 06/09/2005 --
-- Released: 15/09/2005 --
------------------------------------------
Security Advisory: Cross-Site-Scripting in www.netbank.commbank.com.au may
lead to account compromise
Discovered by: Calum Power [[email protected]]
Versions Affected: All Current
Unaffected versions: None known.
Product Description:
www.commbank.com.au is the Commonwealth Bank of Australia's official website.
The sub-section of the website '/NetBank/' is devoted to information and help
in regards to their online banking service.
Using the service, it is possible to transfer money, check account balances,
review account histories, etc.
Summary:
* Cross-Site Scripting (A.K.A "XSS") could lead to the compromise of user
* accounts via 'phishing' methods.
Details:
The Commonwealth Bank provide a 'search' service for the searching of
help/information with direct relevance to their online banking service
'NetBank'. The script is located at 'NetBank/search.asp' on the webserver
www.commbank.com.au
This script accepts a few variables, the vulnerable one being 'SearchString'
Unfortunately, the ASP script responsible for the searching of pages within
the website fails to sanitise this variable before printing it in the form
element also named 'SearchString'.
This could lead to 'escaping' from the input tag, and printing arbitrary HTML
code to the user. A simple, harmless demonstration is as follows:
http://www.commbank.com.au/NetBank/search.asp?SearchString=%22%3E%3Cimg%20src=%22http://fribble.net/image.jpg%22%3E
Although the above example would not be of any risk to a user, with the use of
URI encoding and advanced HTML inclusion (possibly from a third-party
website), it would be possible to emulate a false website, or even a
legitimate-looking login page.
Further information on the threat of Cross-Site Scripting may be obtained
here:
http://www.securitydocs.com/library/3261
Impact: High
In an environment such as Netbank, ALL user-supplied input variables should be
filtered for malformed content.
Succesfull exploitation of this vulnerability may lead to compromised bank
accounts and/or user data via scamming (or "phishing") attacks on NetBank users.
Credit:
This vulnerability was discovered by Calum Power on the 5th of September 2005.
The vendor has subsequently been notified.
Rights:
Copyright(c) 2005 Fribble Technologies (C. Power)
This advisory may be quoted, transmitted or copied, providing original author
credit is included in the publication.
*** This vulnerability has been disclosed in accordance with the RFP
Full-Disclosure Policy v2.0, available at:
http://www.wiretrip.net/rfp/policy.html
--
Calum Power
Security Enthusiast
Cultural Jammer
Hopeless Cynic
E: [email protected]
W: www.fribble.net
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation