Commonwealth Bank Cross-Site-Scripting advisory

[Calum Power <enune () fribble net>]

-- A quick note before the advisory --
During my conversation(s) with the Commonwealth Bank 'Group IT Security' 
department, they have promised to undertake a full audit of the NetBank, 
CBA website and other existing pages in an effort to stamp out all 
Cross-Site-Scripting (XSS) vulnerabilities in their web applications.

This is a very positive step in the direction of completely securing the 
Commonwealth Bank's web applications. Big congratulations go to Stephen 
and Chris from the CBA's security team for initiating a quick response, as 
well as a concerted effort for the future security of the bank.
-- Advisory follows --

--------------- 05/09/2005 ---------------
--         Fribble Technologies         --
--          Security Advisory           --
--     FOR IMMEDIATE PUBLIC RELEASE     --
---------------TIMELINE-------------------
--  Discovered: 05/09/2005              --
--  Reported: 06/09/2005                --
--  Released: 15/09/2005                --
------------------------------------------
Security Advisory: Cross-Site-Scripting in www.netbank.commbank.com.au may
lead to account compromise

Discovered by: Calum Power [enune () fribble net]
Versions Affected: All Current
Unaffected versions: None known.

Product Description:
www.commbank.com.au is the Commonwealth Bank of Australia's official website.
The sub-section of the website '/NetBank/' is devoted to information and help
in regards to their online banking service.
Using the service, it is possible to transfer money, check account balances,
review account histories, etc.

Summary:
* Cross-Site Scripting (A.K.A "XSS") could lead to the compromise of user
* accounts via 'phishing' methods.

Details:
The Commonwealth Bank provide a 'search' service for the searching of
help/information with direct relevance to their online banking service
'NetBank'. The script is located at 'NetBank/search.asp' on the webserver
www.commbank.com.au

This script accepts a few variables, the vulnerable one being 'SearchString'
Unfortunately, the ASP script responsible for the searching of pages within
the website fails to sanitise this variable before printing it in the form
element also named 'SearchString'.
This could lead to 'escaping' from the input tag, and printing arbitrary HTML
code to the user. A simple, harmless demonstration is as follows:
http://www.commbank.com.au/NetBank/search.asp?SearchString=%22%3E%3Cimg%20src=%22http://fribble.net/image.jpg%22%3E

Although the above example would not be of any risk to a user, with the use of
URI encoding and advanced HTML inclusion (possibly from a third-party
website), it would be possible to emulate a false website, or even a
legitimate-looking  login page.

Further information on the threat of Cross-Site Scripting may be obtained
here:
http://www.securitydocs.com/library/3261

Impact: High
In an environment such as Netbank, ALL user-supplied input variables should be
filtered for malformed content.
Succesfull exploitation of this vulnerability may lead to compromised bank
accounts and/or user data via scamming (or "phishing") attacks on NetBank users.

Credit:
This vulnerability was discovered by Calum Power on the 5th of September 2005.
The vendor has subsequently been notified.

Rights:
Copyright(c) 2005 Fribble Technologies (C. Power)
This advisory may be quoted, transmitted or copied, providing original author 
credit is included in the publication.


*** This vulnerability has been disclosed in accordance with the RFP
Full-Disclosure Policy v2.0, available at:
http://www.wiretrip.net/rfp/policy.html

--
Calum Power
Security Enthusiast
Cultural Jammer
Hopeless Cynic
E: enune () fribble net
W: www.fribble.net

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/