CNN Cross Site Scripting / Open Redirect

2014.12.30
Credit: Wang Jing
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

*CNN Travel.cnn.com <http://Travel.cnn.com> XSS and Ads.cnn.com <http://Ads.cnn.com> Open Redirect Security Vulnerability* *Domain:* http://cnn.com "CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories." (Wikipedia) "As of August 2013, CNN is available to approximately 98,496,000 cable, satellite and telco television households (86% of households with at least one television set) in the United States." (Wikipedia) *Vulnerability Description:* CNN has a security problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect attacks. Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities. According to E Hacker News on June 06, 2013, "(@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN." After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good. Almost no links are vulnerable to Open Redirect attack on CNN's website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website. CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007. *<1>* "The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites." (E Hacker News) At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website. Yahoo Open Redirect Vulnerabilities: http://securityrelated.blogspot.sg/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html *<2>* CNN.com XSS hacked http://seclists.org/fulldisclosure/2007/Aug/216 *(1) CNN (cnn.com <http://cnn.com>) Travel-City Related Links XSS (cross site scripting) Security Vulnerabilities* *Domain:* http://travel.cnn.com/ *Vulnerability Description:* The vulnerabilities occur at "http://travel.cnn.com/city/all" pages. All links under this URL are vulnerable to XSS attacks, e.g http://travel.cnn.com/city/all/all/washington?page=0%2C1 http://travel.cnn.com/city/all/all/tokyo/all?page=0%2C1 The vulnerability can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 7. *Poc Code:* http://travel.cnn.com/city/all/all/tokyo/all' /"><img src=x onerror=prompt(/justqdjing/)> http://travel.cnn.com/city/all/all/bangkok/all' /"><img src=x onerror=prompt(/justqdjing/)> *(1.1) Poc Video:* https://www.youtube.com/watch?v=Cu47XiDV38M&feature=youtu.be *Blog Details:* http://securityrelated.blogspot.sg/2014/12/cnn-cnncom-travel-city-related-links.html *(2) CNN cnn.com <http://cnn.com> ADS Open Redirect Security Vulnerability * *Domain:* http://ads.cnn.com *Vulnerability Description:* The vulnerability occurs at "http://ads.cnn.com/event.ng" page with "&Redirect" parameter, i.e. http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2fgoogle.com The vulnerability can be attacked without user login. Tests were performed on Chrome 32 in Windows 8 and Safari 6.16 in Mac OS X v10.7. *(2.1)* Use the following tests to illustrate the scenario painted above. The redirected webpage address is "http://www.tetraph.com/blog". Suppose that this webpage is malicious. *Vulnerable URL:* http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2fcnn.com *Poc Code:* http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2ftetraph.com%2Fblog *(2.1) Poc Video:* https://www.youtube.com/watch?v=FE8lhDvKGN0&feature=youtu.be *Blog Detail:* http://securityrelated.blogspot.sg/2014/12/cnn-cnncom-ads-open-redirect-security.html Those vulnerabilities were reported to CNN in early July by Contact information from Here. http://edition.cnn.com/feedback/#cnn_FBKCNN_com Reported by: Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. http://www.tetraph.com/wangjing/ *Blog Details:* http://securityrelated.blogspot.sg/2014/12/cnn-cnncom-travel-xss-and-ads-open.html -- Wang Jing School of Physical and Mathematical Sciences (SPMS) Nanyang Technological University (NTU), Singapore

References:

http://seclists.org/fulldisclosure/2007/Aug/216
http://securityrelated.blogspot.sg/2014/12/cnn-cnncom-travel-xss-and-ads-open.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top