H4-CREW-000003 Advirosy: Superclick XSS via popup.php
Software: Superclick servers on the internet
Discovered by: h4 Crew
severety: moderates
investigations by the H4-Crew


Impacts.

[1]cookie theif
[2] hijacking XSS proxy (xssproxy.sourceforge.net)


Discussion
=========
H4-CREW-000003 Superclick Cross-Site Scripting

The Superclick offers high-speed internet connectivity to the
hospitality industry, providing internet accesses to an estimated 160
hotels with more than 20,000 rooms. Superclick offers the SIMS
(Superclick Internet Management Server) for internet access, but also
operates a number of public access proxy servers which integrate in to
browser toolbar functions when guest sign-on occur. The popup.php
script that runs on public Superclick servers is vulnerable to
Cross-site Scriptings.

[1] XSS
------------

The php script popup.php is vulnerable to the cross-site scriptings in
the "url" parameter.

/superclick/popup.php?toolbar=1& popup=0&url=<script>alert("PWND")</script>

These server do not filter access by IP address, so a link to the
server that any user follows will be redirected by the Superclick
scripts. This makes the Cross-Site Scriptings more serious because any
user could be affected by the reflected kind if any link points to a
vulnerable Superclick gateway. So this cross-site scriptings could
effect users who are not using the Superclick site for internet
access, but follow a link in a forum or email.

[2] Privacy concerns
-------------------------------
The superclick public gateways appear to cache some user web browsing
habits as evidence of the google search which reveals pages which the
Superclick has redirected users too.  The extent to whether lots of
user data is cached is also not known.

inurl:/superclick/popup.php

Solution
-----------
none at this time.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/