Dangerous exploit on weather underground (wunderground.com)

[speaker219]

see the following link:

http://www.wunderground.com/wximage/viewsingleimage.html?handle=%3Cscript%3Edocument.title=%22XSSd%20your%20title%22;%20document.body.innerHTML=%22%3Cb%3EXSSd%20your%20html%3C/b%3E%22%3C/script%3E

[trq]

And?

[Daniel0]

You should probably report it to them instead of us.

[neylitalo]

Just so you know, you can always execute arbitrary Javascript on any web page. (Firebug is an easy place to start) It's when you can make the server do silly things that you would consider it a security problem.

[Daniel0]

Just so you know, you can always execute arbitrary Javascript on any web page. (Firebug is an easy place to start) It's when you can make the server do silly things that you would consider it a security problem.

 

The point in the above is that if you can get a user to click the link, then YOU choose what Javascript that should be executed. You could e.g. send document.cookie data to another page where some sort of harvester script is. In that way you can steal a user's cookies and possibly log in as that user using those cookies. That's called a Type-1 XSS attack.

 

Example from Wikipedia:

  1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.

  2. Mallory observes that Bob's website contains a reflected XSS vulnerability.

  3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (ie. the email is spoofed).

  4. Alice visits the URL provided by Mallory while logged into Bob's website.

  5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script steals sensitive information (authentication credentials, billing info, etc) and sends this to Mallory's web server without Alice's knowledge.

[bilis_money]

I think his joke is 100% not funny.  :-\

[speaker219]

The point is that a scammer could use this to disguise himself as a ligitimate site on Weather Underground.

See the definition of XSS:

Cross site scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched

[speaker219]

I think his joke is 100% not funny.  :-\

My "joke" isn't supposed to be funny... Do you have any idea what XSS is? A scammer could steal cookies or other info using that.

[speaker219]

See

http://www.wunderground.com/wximage/viewsingleimage.html?handle=%3Cscript%3Edocument.title=%22Weather%20Underground%22;%20document.body.innerHTML=%22%3Ch1%3EYup,%20I%20just%20stole%20some%20cookies.%3C/h1%3E%22;%20alert(document.cookie)%3C/script%3E

[Azu]

Just so you know, you can always execute arbitrary Javascript on any web page. (Firebug is an easy place to start) It's when you can make the server do silly things that you would consider it a security problem.

I bet you can't make someone run arbitrary Javascript on MY website from just clicking a link..