[Full-disclosure] H4-CREW-000003 Advirosy: Superclick XSS via popup.php

2005-11-04T00:00:00
ID SECURITYVULNS:DOC:10113
Type securityvulns
Reporter Securityvulns
Modified 2005-11-04T00:00:00

Description

H4-CREW-000003 Advirosy: Superclick XSS via popup.php Software: Superclick servers on the internet Discovered by: h4 Crew severety: moderates investigations by the H4-Crew

Impacts.

[1]cookie theif [2] hijacking XSS proxy (xssproxy.sourceforge.net)

Discussion

H4-CREW-000003 Superclick Cross-Site Scripting

The Superclick offers high-speed internet connectivity to the hospitality industry, providing internet accesses to an estimated 160 hotels with more than 20,000 rooms. Superclick offers the SIMS (Superclick Internet Management Server) for internet access, but also operates a number of public access proxy servers which integrate in to browser toolbar functions when guest sign-on occur. The popup.php script that runs on public Superclick servers is vulnerable to Cross-site Scriptings.

[1] XSS

The php script popup.php is vulnerable to the cross-site scriptings in the "url" parameter.

/superclick/popup.php?toolbar=1& popup=0&url=<script>alert("PWND")</script>

These server do not filter access by IP address, so a link to the server that any user follows will be redirected by the Superclick scripts. This makes the Cross-Site Scriptings more serious because any user could be affected by the reflected kind if any link points to a vulnerable Superclick gateway. So this cross-site scriptings could effect users who are not using the Superclick site for internet access, but follow a link in a forum or email.

[2] Privacy concerns

The superclick public gateways appear to cache some user web browsing habits as evidence of the google search which reveals pages which the Superclick has redirected users too. The extent to whether lots of user data is cached is also not known.

inurl:/superclick/popup.php

Solution

none at this time.


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/