W3C home > Mailing lists > Public > site-comments@w3.org > July 2010

Re: Vulnerabilities at www.w3.org

From: MustLive <mustlive@websecurity.com.ua>
Date: Thu, 01 Jul 2010 20:12:27 +0000
To: "Ian Jacobs" <ij@w3.org>
Message-Id: <002e01cb1959$9dbc2cd0$010000c0@ml>
Cc: <site-comments@w3.org>
Hello Ian!

You are welcome.

First of all fix all XSS holes which I sent to you (in my two letters).

About abusing of W3C's services due to Abuse of Functionality and
Insufficient Anti-automation vulnerabilities in W3C's validators. As  
you can
see, the abusing can be made due to Insufficient Anti-automation holes  
in
all mentioned validators - it total 11 vulnerable validators (12  
scripts).
So if you'll fix these holes in all validators by making protection from
automated requests (such as captcha), it fixes as Insufficient
Anti-automation holes, as in 99% fixes Abuse of Functionality holes.

In case of W3C Link Checker (which can be used for conducting of DoS  
attacks
on both W3C's and other site's server) it'll be not enough, so making
additional protection (to limit abuse) will be required. But in most  
cases
fixing of Insufficient Anti-automation will be enough.

Besides, last week I wrote an article Using of the sites for attacks on
other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html 
).
In this article I told about conducting of attacks on other sites via  
Abuse
of Functionality vulnerabilities (similar to holes at W3C site).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- From: "Ian Jacobs" <ij@w3.org>
To: "MustLive" <mustlive@websecurity.com.ua>
Cc: <admin@w3.org>; <site-comments@w3.org>
Sent: Wednesday, June 30, 2010 6:39 PM
Subject: Re: Vulnerabilities at www.w3.org


>
> On 30 Jun 2010, at 4:34 AM, MustLive wrote:
>
>> Hello administrator of www.w3.org!
>>
>> I want to warn you about security vulnerabilities at your site.
>>
>
> Hi ML,
>
> Thanks for sending this to us. We are aware of this and are looking   
> into
> finding the right balance between continuing to offer services  and to
> avoid abuse.
>
> Best,
>
> _ Ian
>
>> These are Abuse of Functionality, Insufficient Anti-automation and
>> Cross-Site Scripting vulnerabilities.
>>
>> Abuse of Functionality:
>>
>> This functionality can be used for conducting of CSRF attacks on   
>> other
>> sites.
>>
>> http://validator.w3.org/feed/check.cgi?url=http://google.com
>>
>> http://www.w3.org/2001/03/webdata/xsv?docAddrs=http://google.com&style=xsl
>>
>> http://validator.w3.org/check?uri=http://google.com
>>
>> http://jigsaw.w3.org/css-validator/validator?uri=http://google.com
>>
>> http://validator.w3.org/checklink?uri=http://google.com
>>
>> Note, that service W3C Link Checker can be used for scanning of   
>> whole
>> site and so it consumes more resources, as of W3C's server, as  of  
>> site
>> which is scanning. It can be used for conducting of DoS  attacks on
>> mentioned servers. About such attacks I mentioned in  article DoS  
>> attacks
>> via Abuse of Functionality vulnerabilities
>> (http://websecurity.com.ua/2981/ ).
>>
>> http://qa-dev.w3.org/unicorn/check?ucn_uri=google.com&ucn_task=conformance
>>
>> http://www.w3.org/RDF/Validator/ARPServlet?URI=http://google.com
>>
>> Insufficient Anti-automation:
>>
>> At these pages there is no protection from automated requests   
>> (captcha).
>> Which allows to automate process of conducting of CSRF  attacks at  
>> other
>> sites.
>>
>> XSS (IE):
>>
>> http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Ealert(document.cookie)%3C/script%3E&style=xsl
>>
>> http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Edocument.location%3D%22http://websecurity.com.ua%22%3C/script%3E&style=xsl
>>
>> Works only in Internet Explorer.
>>
>> Attend to security of all of yours web sites, web software and to
>> security audit.
>>
>> I mentioned about these vulnerabilities at my site
>> (http://websecurity.com.ua/4320/ ).
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>
> --
> Ian Jacobs (ij@w3.org)    http://www.w3.org/People/Jacobs/
> Tel:                                      +1 718 260 9447
Received on Saturday, 3 July 2010 02:17:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 16:21:33 GMT