The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks
Domain Description:
http://www.weather.com/
"The
Weather Channel is an American basic cable and satellite television
channel which broadcasts weather forecasts and weather-related news and
analyses, along with documentaries and entertainment programming related
to weather. Launched on May 2, 1982, the channel broadcasts weather
forecasts and weather-related news and analysis, along with
documentaries and entertainment programming related to weather."
"As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives." (Wikipedia)
Vulnerability description:
The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.
Almost
all links under the domain weather.com are vulnerable to XSS attacks.
Attackers just need to add script at the end of The Weather Channel's
URLs. Then the scripts will be executed.
10
thousands of Links were tested based a self-written tool. During the
tests, 76.3% of links belong to weather.com were vulnerable to XSS
attacks.
The
reason of this vulnerability is that Weather Channel uses URLs to
construct its HTML tags without filtering malicious script codes.
The
vulnerability can be attacked without user login. Tests were performed
on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.
POC Codes, e.g.
http://www.weather.com/
http://www.weather.com/home-
http://www.weather.com/news/
POC Video:
The Weather Channel has patched this Vulnerability in late November, 2014 (last Week). "The
Full Disclosure mailing list is a public forum for detailed discussion
of vulnerabilities and exploitation techniques, as well as tools,
papers, news, and events of interest to the community. FD differs from
other security lists in its open nature and support for researchers'
right to decide how to disclose their own discovered bugs. The full
disclosure movement has been credited with forcing vendors to better
secure their products and to publicly acknowledge and fix flaws rather
than hide them. Vendor legal intimidation and censorship attempts are
not tolerated here!" A great many of the fllowing web securities have
been published here, Buffer overflow, HTTP Response Splitting (CRLF),
CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF,
Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage,
Denial of Service, File Inclusion, Weak Encryption, Privilege
Escalation, Directory Traversal, HTML Injection, Spam. This bug was
published at The Full Disclosure in November, 2014.
Discovered by:
Jing
Wang, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
More Details:
No comments:
Post a Comment