About Group About.com All Topics (At least 99.88% links) Vulnerable to Iframe Injection (Cross Frame Scripting) Security Attacks
Vulnerability Description:
About.com all “topic sites” are vulnerable to Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to Iframe Injection attacks. In fact, for about.com's structure, the main domain is something just like a cover. So, very few links belong to them.
For the Iframe Injection vulnerabilities. They can be used to do DDOS (Distributed Denial-of-Service Attack) to other websites, too.
"According to About’s online media kit, nearly 1,000 "Experts" (freelance writers) contribute to the site by writing on various topics, including healthcare and travel." (About.com)
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing
Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.
Blog Details:
http://securityrelated.blogspot.com/2015/02/about-group-aboutcom-all-topics-at.html
评论
热度 ( 10 )