H4-CREW-000003.txt

2005-11-04T00:00:00
ID PACKETSTORM:41275
Type packetstorm
Reporter h4 Crew
Modified 2005-11-04T00:00:00

Description

                                        
                                            `H4-CREW-000003 Advirosy: Superclick XSS via popup.php  
Software: Superclick servers on the internet  
Discovered by: h4 Crew  
severety: moderates  
investigations by the H4-Crew  
  
  
Impacts.  
  
[1]cookie theif  
[2] hijacking XSS proxy (xssproxy.sourceforge.net)  
  
  
Discussion  
=========  
H4-CREW-000003 Superclick Cross-Site Scripting  
  
The Superclick offers high-speed internet connectivity to the  
hospitality industry, providing internet accesses to an estimated 160  
hotels with more than 20,000 rooms. Superclick offers the SIMS  
(Superclick Internet Management Server) for internet access, but also  
operates a number of public access proxy servers which integrate in to  
browser toolbar functions when guest sign-on occur. The popup.php  
script that runs on public Superclick servers is vulnerable to  
Cross-site Scriptings.  
  
[1] XSS  
------------  
  
The php script popup.php is vulnerable to the cross-site scriptings in  
the "url" parameter.  
  
/superclick/popup.php?toolbar=1& popup=0&url=<script>alert("PWND")</script>  
  
These server do not filter access by IP address, so a link to the  
server that any user follows will be redirected by the Superclick  
scripts. This makes the Cross-Site Scriptings more serious because any  
user could be affected by the reflected kind if any link points to a  
vulnerable Superclick gateway. So this cross-site scriptings could  
effect users who are not using the Superclick site for internet  
access, but follow a link in a forum or email.  
  
[2] Privacy concerns  
-------------------------------  
The superclick public gateways appear to cache some user web browsing  
habits as evidence of the google search which reveals pages which the  
Superclick has redirected users too. The extent to whether lots of  
user data is cached is also not known.  
  
inurl:/superclick/popup.php  
  
Solution  
-----------  
none at this time.  
`