-- A quick note before the advisory -- During my conversation(s) with the Commonwealth Bank 'Group IT Security' department, they have promised to undertake a full audit of the NetBank, CBA website and other existing pages in an effort to stamp out all Cross-Site-Scripting (XSS) vulnerabilities in their web applications. This is a very positive step in the direction of completely securing the Commonwealth Bank's web applications. Big congratulations go to Stephen and Chris from the CBA's security team for initiating a quick response, as well as a concerted effort for the future security of the bank. -- Advisory follows -- --------------- 05/09/2005 --------------- -- Fribble Technologies -- -- Security Advisory -- -- FOR IMMEDIATE PUBLIC RELEASE -- ---------------TIMELINE------------------- -- Discovered: 05/09/2005 -- -- Reported: 06/09/2005 -- -- Released: 15/09/2005 -- ------------------------------------------ Security Advisory: Cross-Site-Scripting in www.netbank.commbank.com.au may lead to account compromise Discovered by: Calum Power [enune@fribble.net] Versions Affected: All Current Unaffected versions: None known. Product Description: www.commbank.com.au is the Commonwealth Bank of Australia's official website. The sub-section of the website '/NetBank/' is devoted to information and help in regards to their online banking service. Using the service, it is possible to transfer money, check account balances, review account histories, etc. Summary: * Cross-Site Scripting (A.K.A "XSS") could lead to the compromise of user * accounts via 'phishing' methods. Details: The Commonwealth Bank provide a 'search' service for the searching of help/information with direct relevance to their online banking service 'NetBank'. The script is located at 'NetBank/search.asp' on the webserver www.commbank.com.au This script accepts a few variables, the vulnerable one being 'SearchString' Unfortunately, the ASP script responsible for the searching of pages within the website fails to sanitise this variable before printing it in the form element also named 'SearchString'. This could lead to 'escaping' from the input tag, and printing arbitrary HTML code to the user. A simple, harmless demonstration is as follows: http://www.commbank.com.au/NetBank/search.asp?SearchString=%22%3E%3Cimg%20src=%22http://fribble.net/image.jpg%22%3E Although the above example would not be of any risk to a user, with the use of URI encoding and advanced HTML inclusion (possibly from a third-party website), it would be possible to emulate a false website, or even a legitimate-looking login page. Further information on the threat of Cross-Site Scripting may be obtained here: http://www.securitydocs.com/library/3261 Impact: High In an environment such as Netbank, ALL user-supplied input variables should be filtered for malformed content. Succesfull exploitation of this vulnerability may lead to compromised bank accounts and/or user data via scamming (or "phishing") attacks on NetBank users. Credit: This vulnerability was discovered by Calum Power on the 5th of September 2005. The vendor has subsequently been notified. Rights: Copyright(c) 2005 Fribble Technologies (C. Power) This advisory may be quoted, transmitted or copied, providing original author credit is included in the publication. *** This vulnerability has been disclosed in accordance with the RFP Full-Disclosure Policy v2.0, available at: http://www.wiretrip.net/rfp/policy.html -- Calum Power Security Enthusiast Cultural Jammer Hopeless Cynic E: enune@fribble.net W: www.fribble.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/