In a new section supporting the release of an anti-theft product for mobile phones, the web site of Helsinki based anti-virus company F-Secure is vulnerable to cross site scripting (XSS).
A hidden form field reflects values from a name value pair (hidManufacturer in this case) from the URL.
http://www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download- wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C /script%3E
First reflection of URL XSS name-value pair:
<input type="hidden" name="hidManufacturer" id="hidManufacturer" value="\'\"><\/title>< script>alert(\/Mikko rulz\/)<\/script>"/></p>
But nothing happens on this reflection because much of what is passed in the URL (the bracket and quote characters) is encoded as "e, >, < on the output of the page. This is generally recognized as a right practice to avoid many forms of cross site scripting attacks on web pages.
Second reflection in the page of the same value:
The Mikko reference is to Mikko Hypponen, the well known Chief Research Officer at F-Secure. The defect was submitted to XSSED by Xylitol. At a glance this appears to be the first new web site specific problem with the main F-Secure web site (country specific versions have had issues) since the F-Secure forum defacement in 2007.
Reflected cross site scripting attacks are on the low end of the scale when it comes to web application vulnerabilities, however they can be used effectively in phishing style attacks (ex: here is a URL to F-Secure, but I will attempt to steal a user session, redirect the user, serve them malware, etc. based on being able to execute a script as the F-Secure web site). As always it behooves a security company to correct problems like this fairly quickly, and F-Secure clearly knows what to do already since they’re using output encoding in one part of the page already.
The problem was corrected quickly, and the issue explained competently by Mikko, as expected.
Filed Under: Cross Site Scripting