Wednesday, July 17, 2013

Dowjones.com DOM XSS

Dow Jones & Company is an American publishing and financial information firm.
The company was founded in 1882 by three reporters: Charles Dow, Edward Jones, and Charles Bergstresser. Like The New York Times and the Washington Post, the company was in recent years publicly traded but privately controlled. The company was led by the Bancroft family, which effectively controlled 64% of all voting stock, before being acquired by News Corporation.
(in Wikipedia)

In January I found a couple of issues on a Eloqua script (which I don't got any reply, even after I tried to contact them for more than 5 times). This script is used by Dow Jones site. Let's take a look into the vulnerable code:
if (document.referrer) { elqRef2 = document.referrer; }
if (navigator.appName == 'Netscape' || navigator.userAgent.indexOf("Opera")!=-1) { document.write('<la' + 'yer hidden=true><im' + 'g src="' + elqCurE + '?pps=3&siteid=' + elqSiteID + '&ref2=' + elqRef2 + '&tzo=' + elqTzo + '&ms=' + elqMs + '" border=0 width=1 height=1 ><\/la' + 'yer>');}
else { document.write('<im' + 'g style="display:none" src="' + elqCurE + '?pps=3&siteid=' + elqSiteID + '&ref2=' + elqRef2 + '&tzo=' + elqTzo + '&ms=' + elqMs + '" border=0 width=1 height=1 >');}
As you can see it was possible to manipulate the document.referrer and write (due to document.write) present on the Eloqua javascript.

How was it possible to attack it?

#1
Simple creating a HTML page with a link to the dowjones.com site, with the XSS vector, the code is executed on the browser.
http://www.example-site.com/?"><img src=x onerror=prompt(1);><!--
example-site.com will have a link to dowjones.com. When a user click on that link it will redirect to dowjones.com and execute the XSS vector on that page.

#2
This proof-of-concept is much easier to implement. When a user change the page inside dowjones.com, it will execute the XSS vector.
www.dowjones.com/?"><h1>XSS</h1><!--
You can even play around encoding a little bit to obsucate from inexperient users.
www.dowjones.com/%3F%22%3E%3Ch1%3EXSS%3C%2Fh1%3E%3C!--


Both examples could be used by malicious users to trick victims on scams and even to spread malware.

Dow Jones already fixed this and their solution was to simply remove the script.

Timeline:
21 Mar 2013: Sent this information to Dow Jones
22 Mar 2013: Got a reply
11 Apr 2013: Requested a update about this vulnerability
12 Apr 2013: Got a reply that they were fixing it
03 Jun 2013: Noticed that the issue was fixed and requested an update from Dow Jones (no reply so far)
17 Jul 2013: Full disclosure

No comments:

Post a Comment