About Group About.com All Topics (At least 99.88% links) Vulnerable to Iframe Injection (Cross Frame Scripting) Security Attacks

About Group About.com All Topics (At least 99.88% links) Vulnerable to Iframe Injection (Cross Frame Scripting) Security Attacks

 

Vulnerability Description:

About.com all “topic sites” are vulnerable to Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to Iframe Injection attacks. In fact, for about.com‘s structure, the main domain is something just like a cover. So, very few links belong to them.

For the Iframe Injection vulnerabilities. They can be used to do DOS (Denial-of-Service Attack) to other websites, too.

 

 

Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing

 

 

Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.

 

about_quesion_security_xss1

 

 

 

(1) Some Basic Background

(1.1) Domain Description:

“For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month.” (The New York Times)

“About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its “topic sites,” of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation” (Wikipedia)

“As of May 2013, About.com was receiving about 84 million unique monthly visitors.” (TechCrunch. AOL Inc.)

“According to About’s online media kit, nearly 1,000 “Experts” (freelance writers) contribute to the site by writing on various topics, including healthcare and travel.” (About.com)

 

about_international_iframe_jnjection

 

 

(1.2) Topics Realted to About.com

“The Revolutionary About.com Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information.” (azlist.about.com)

About.com – Sites A to Z

Number of Topics

A: 66

B: 61

C: 118

D: 49

E: 33

F: 57

G: 39

H: 48

I: 32

J: 15

K: 13

L: 36

M: 70

N: 26

O: 23

P: 91

Q: 4

R: 32

S: 104

T: 47

U: 12

V: 9

W: 43

X: 1

Y: 4

Z: 1

SUM: 1039

Reference:

In fact, those are not all topics of about.com. Some of the topics are not listed here such as,

So, there are more than 1000 topics related to about.com

 

 

(1.3) Basics of Iframe Injection (Cross-frame-Scripting) Vulnerabilities

“In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker’s page loads a third-party page in an HTML frame; and then javascript executing in the attacker’s page steals data from the third-party page.” (OWASP)

“XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a Cross Site Scripting Flaw to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw.” (OWASP)

 

 

 

(2) Vulnerabilities Details:

About Group has a security problem. It can be exploited by Iframe Injection (Cross Frame Scripting) attacks.

The vulnerability occurs at about.com “offsite.htm” page with “zu” parameter, e.g.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

Use one of webpages for the following tests. The webpage address is “https://itinfotechnology.wordpress.com/“. Suppose that this webpage is malicious.

 

Vulnerable URLs:

 

POC:

 

Wang Jing

Leave a Reply

Your email address will not be published. Required fields are marked *