计算机网络技术

Web News, Technology, Science, etc

网络技术是从1990年代中期发展起来的新技术,它把互联网上分散的资源融为有机整体,实现资源的全面共享和有机协作,使人们能够透明地使用资源的整体能力并按需获取信息。

日常生活點滴的記錄:

IT 计算机信息网络安全技术:

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks



(1) Domain Description:
http://www.indiatimes.com



"The Times of India (TOI) is an Indian English-language daily newspaper. It is the third-largest newspaper in India by circulation and largest selling English-language daily in the world according to Audit Bureau of Circulations (India). According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership. It is owned and published by Bennett, Coleman & Co. Ltd. which is owned by the Sahu Jain family. In the Brand Trust Report 2012, Times of India was ranked 88th among India's most trusted brands and subsequently, according to the Brand Trust Report 2013, Times of India was ranked 100th among India's most trusted brands. In 2014 however, Times of India was ranked 174th among India's most trusted brands according to the Brand Trust Report 2014, a study conducted by Trust Research Advisory." (en.Wikipedia.org)




(2) Vulnerability description:
The web application indiatimes.com online website has a security problem. Hacker can exploit it by XSS bugs.


The code flaw occurs at Indiatimes's URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes's "photogallery" and "top-llists" topics are affected. 


Indiatimes uses part of the links under "photogallery" and "top-llists" topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.


The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (12.04) and Microsoft IE (9.0.15) in Windows 7.




Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/





Related Articles:
http://seclists.org/fulldisclosure/2014/Nov/91

http://germancast.blogspot.de/2015/06/all-links-in-two-diatimes.html

https://vulnerabilitypost.wordpress.com/2014/12/04/indiatimes-xss

http://whitehatview.tumblr.com/post/104310651681/times-of-india-website

http://www.tetraph.com/blog/computer-security/all-links-in-two-topics-xss

http://tetraph.blog.163.com/blog/static/234603051201501352218524/

http://www.techworm.net/2014/12/times-india-website-vulnerable-xss

https://cxsecurity.com/issue/WLB-2014120004

http://itprompt.blogspot.com/2014/12/times-of-india-to.html