About Group About.com All Topics (At least 99.88% links) Vulnerable to XSS (Cross-Site Scripting) Security Attacks
Vulnerability Description:About.com all “topic sites” are vulnerable to XSS (Cross-Site Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some about.commain pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to XSS attacks. In fact, for about.com's structure, the main domain is something just like a cover. So, very few links belong to them.
Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.
"As of May 2013, About.com was receiving about 84 million unique monthly visitors." (TechCrunch. AOL Inc.)
Vulnerability Discover:Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing
Vulnerability Disclosure:Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.
Result of Exploiting XSS Attacks"Exploited XSS is commonly used to achieve the following malicious results Identity theft Accessing sensitive or restricted information Gaining free access to otherwise paid for content Spying on user’s web browsing habits Altering browser functionality Public defamation of an individual or corporation Web application defacement Denial of Service attacks (DOS)" (Acunetix)
Blog Detail:
http://tetraph.com/security/xss-vulnerability/about-group-about-com-all-topics-at-least-99-88-links-vulnerable-to-xss-cross-site-scripting-security-attacks/
评论
热度 ( 10 )