I found out about this yesterday when I was searching some product on Indiatimes Shopping website. It is very common security problem, it is basically a mistake in the coding part. It is called as Cross-Site Scripting (XSS).

I have informed Indiatimes about it but till now I haven’t got any response from them 🙁

What is this security hole all about?
In simple words, a person can ask you to click on the link and once you click on it, he can do whatever he wants…he can show Login Page or page asking for credit card details…

And once you enter the details..everything will be mail to him…infact he may try to do lot more than that..he may try to exploit the loopholes in your system…

I have submitted this to BugTraq also…

Wanna read technical Details? Sure…thing..click on “More” link…

Technical Details… (I have sent same to Bugtraq mailing list also)

——————————————————————-
Name : IndiaTimes Shopping – XSS Vulnerability
WebSite : http://shopping.indiatimes.com
Date : January 29, 2005
Vuln Type : Cross site scripting
Severity : Moderate
Vendor : Unknown

HomePage : www.indiatimes.com

——————————————————————-
SITE DESCRIPTION:
——————————————————————-
Indiatimes Shopping provides an ideal platform for Clients/ Merchants to set up a shop and enable themselves to reach directly to the consumer. Indiatimes has enabled more than 200 brands/ manufacturers/ service providers. With business volumes growing at the rate of 200%, Indiatimes is constantly adding new merchants/ sellers to its marketplace and retaining the successful ones.

——————————————————————-
VULNERABILITY INFO:
——————————————————————-

The security hole is basically on page

What is happening?

When they are listing the products in the page, they are also passing page title in the query string.
But while passing the title, they have not used any function like htmlentities() (which we use in PHP) so because of this, the query string allows me to pass HTML code using Javascript…

For example…

When you go to this page

And click on any product, you will see that it passes variable in title & in the query string with name of the product.

And they are printing value of same variable in Page Title and to show current location (Indiatimes > Shopping > Category > Product Name (From title variable)

This is the page I am talking about….

Now if you replace page title with JavaScript code then instead of showing code as it is, it executes the code i.e. does not show the code as plain text.

UPDATE: 14th Feb 2005

Example of code can be following

This will redirect to page http://whoisdeep.com/indcr.html and show fake login page

This is just a simple example, I am sure that you can do a lot more things with this XSS vulnerability.

We can also use this security hole with latest vulnerability in non IE browsers i.e. Firefox, Opera etc… (make this more real so that even techie person might find it real)

How?

In recent exploit found by Shmoo, you can spoof the domain address. User will see it as Indiatimes.com but in reality the domain name will be something else.

For example, visit this page

Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.

The links are directed at “http://www.pаypal.com/”, which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.

For detailed information about this exploit you can visit this page

This is just a simple example, I am sure that you can do a lot more things with this XSS vulnerability.

——————————————————————-
IMPACT:
——————————————————————-
Exploit can be used in fraud emails asking users to enter their personal details like Login, Password, Credit Card info etc…

——————————————————————-
SOLUTION:
——————————————————————-
I have mailed them about the same yesterday but there has been no response from their side.