> I have recently done a "CSS marathon" and found _allmost_ every page I tried > vulnerable within an half an hour. These include microsoft, altavista, > google, cnet, time, ebay, amazon, netscape, yahoo and redhat. This list > probably could have gone on forever if I had taken the time. I have > contacted every one of them about this (except for yahoo and ebay because I > was unable to find a contact emailaddress or feedback form; if it takes > longer to find the contact info than to find the CSS, f#ck 'em) I am now > awaiting their respondses. Ebay can be reached at clalonde@ebay.com I had spoken with him in regards to a old css hole and he was very prompt in response once I actually found it. Dunno about yahoo on the otherhand. Time.com's security contact can be reached at Renee_Guttmann@timeinc.com. I had found a hole that not only allowed CSS but also SSI tag insertion into the wevsite search engine. Of course its fixed now but it took over a month to get fixed. And yes command execution was possible. Try emailing lists like incidents and say "security contact for "website.com"? and you will usually get a quick response which was the case with time and me. > Feedback on the usefullness (or futility) of a "general CSS advisory" would > be appreciated. Well as it is generally known CSS holes can allow potential cookie theft. I guess on larger sites this may be more of an issue because people invest into them. Small sites you probably sould just email the admins (if you can find them) and if not contact there isp "hey I wanted to possibly speak with the admin of this site can you help me by giving me an email addy?". Originally when I contacted ebay it took over 3 months to get a response. Once I did the problem was fixed within a day. Depending on the sites general security it could perhaps open up some other issues. - zeno@cgisecurity.com PS: to the people's who email addies I gave out if your upset I did please let me know, after all giving them out is for your benifit. > > Berend-Jan Wever > > -------------------------------------------- > CSS implications > > By opening a specially crafted URL in the targetted user's web browser (for > instance when he visits your website or reads an email you sent him). > - read anything that user can read from the CSS-vulnerable site. > (addressbook, personal info, etc...) > - do whatever that user can do on the CSS-vulnerable site (send messages, > order stuff, change personal settings and passwords) > - spoof the contents of the CSS-vulnerable site (make somebody think he is > looking at www.foo.com while the contents of the page actually comes from > your site www.bar.com) > > >
