cnn-xss.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
- -----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Dear CNN,  
  
I recently discovered a security vulnerability on the www.cnn.com  
website. I believe the vulnerability can be used by a remote user  
to  
alter content on www.cnn.com.  
  
On 10 Nov 2008, I wrote to four email address at cnn.com and  
turner.com. Unfortunately, none of the email address responded --  
two  
of the addresses bounced. I have no alternative except to go public.  
  
The vulnerability is due to a failure to properly taint parameters  
passed to the server. The parameters can be used to pass in  
server-side scripting code.  
  
Bad CNN. No cookie for you!  
  
The US edition of CNN has a service under "CNN.com Extras" called  
"My  
recently viewed pages" (scroll down the main page, it is on the  
right). Clicking on it shows the last 10 CNN.com pages you visited.  
  
I originally looked at this because I wanted to see if there were  
any  
privacy issues. There are none, except for a big server-side  
exploit.  
  
The tracking is done in a cookie variable for "www.cnn.com" called  
"js_memberservices.mrv". It is set whenever you click on an article  
(so click on an article first, then click the back button to go  
back  
to the main page). The cookie value is a URI-encoded string. For  
example:  
  
%7Bvalue%3A%22Bond%2C%20fangs%2C%20dogs%20and%20DiCaprio%3A%20Holida  
y%  
20movies%20roll%20out%20-  
%20CNN.com%7Chttp%3A//www.cnn.com/2008/SHOWBI  
Z/Movies/11/17/holiday.movies/index.html%7C%7CCommentary%3A%20Can%20  
Mc  
Cain%20be%20Obama%27s%20friend%20in%20Congress%3F%20-  
%20CNN.com%7Chttp  
%3A//www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index.html%22%2C  
ex  
pireDate%3A1234567891011%7D  
  
This decodes as:  
{value:"Bond, fangs, dogs and DiCaprio: Holiday movies roll out -  
CNN.com|http://www.cnn.com/2008/SHOWBIZ/Movies/11/17/holiday.movies/  
in  
dex.html||Commentary: Can McCain be Obama's friend in Congress? -  
CNN.com|http://www.cnn.com/2008/POLITICS/11/16/zelizer.mccain/index.  
ht  
ml",expireDate:1234567891011}  
  
Vertical bars are used to separate fields and two of them separate  
records. Most of the URI-encoding is not essential.  
  
Each record has two items:  
A text title that is displayed in "My recently viewed pages".  
A URL for the hyperlink.  
  
Neither of these values appear to be filtered.  
HTML tags, Javascript, and quotes are all permitted.  
  
Normally this would be a client-side self-imposed attack. Anything  
you put in your cookie comes back to you. Unless you have an  
exploit  
to edit another domain's cookie, this is harmless since you only  
hack  
yourself.  
  
However... server-side scripting also appears to work. And if the  
double quotes are not properly matched, then the query fails  
(meaning  
that they are not properly quoting the variable on the server side).  
  
The potential exploits range from posting false news stories to  
totally p0wning www.cnn.com.  
  
Too bad CNN decided not to reply and forced this to go public.  
  
PS. Hey CNN! Don't forget to also fix the "js_user_topics" cookie!  
  
- -----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.2.2 (GNU/Linux)  
  
iD8DBQFJIcUO/SGqjFZqH0kRAmhjAKCKb/LWAAln6alZ073SYrwHAPgwUwCgjP8m  
kpn5L0pthvJfJEbIq/1Z5UM=  
=TTRW  
- -----END PGP SIGNATURE-----  
-----BEGIN PGP SIGNATURE-----  
Charset: UTF8  
Note: This signature can be verified at https://www.hushtools.com/verify  
Version: Hush 3.0  
  
wpwEAQMCAAYFAkkh0B4ACgkQ/Ikpqp7FIXcD0wQAy3weU+qdsCP/GLFiy/OHGW4TkM8t  
85mPhpBMEVlEz9KVSLW5JxVFWDnmk5VDqhPBHLa82TscjYABU8g/brxFgQTjnBcpJbe0  
keuAK1eh2WSXyAFuc6FC937PE4SaXcDni1Yx7860Ekxd75at3p83rDacM9nUtu/av1QB  
tinn1fY=  
=4bXY  
-----END PGP SIGNATURE-----  
  
--  
Free information on becoming a Graphic Designer. Click Now!  
http://tagline.hushmail.com/fc/PnY6qxunKh4BH7RfuD0I4MwJpvLmcWHMb8ZZnO5qQPBlqnOOefPB2/  
  
`