ドイツの銀行サイトにおけるXSS

By kenia on 2007年5月17日 22:00 | No Comments | No TrackBacks

ドイツの銀行sparkasseのサイトにXSS脆弱性があり、「デモンストレーション」された。
Full Disclosure: XSS vulnerability on various german online banking sites (sparkasse)
From: Ulrich Keil
Date: Thu, 17 May 2007 06:08:34 +0200

The "Sparkassen-Finanzgruppe" with a transaction volume of over 3.300
billion euro is one of the largest banks for private customers in
germany. Many local member-banks of the group use the online banking
portal provided by sfze (http://www.sfze.de/), a subsidiary company of
Sparkassen-Finanzgruppe.


Vulnerability:
The online banking software of sfze does not check the HTTP GET
Parameter "KONTO" on the login page, and displays the content of this
variable without modification within the html form area.


Impact:
An attacker may gather login data (ID+PIN) from customers of the
Sparkassen-Finanzgruppe by tricking them to click on a special crafted
link, which points to the original login page of the online banking system.

Categories:

No TrackBacks

TrackBack URL: http://www.matsuyuku.com/cgi-bin/MT/mt-tb.cgi/617

Leave a comment

ロックバンドぐわし
ロックバンドぐわしのホームページ
ライブ写真;ビデオ公開中

Search

About this Entry

This page contains a single entry by kenia published on 2007年5月17日 22:00.

NTT東でのCiscoトラブル was the previous entry in this blog.

サムソンのUMPC is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Categories

月別 Archives

Pages

Powered by Movable Type 4.21-ja

管理人への連絡は、
こちらからどうぞ
問い合わせフォーム