About Com Links Vulnerable To Xss Xfs Iframe Attack

Jing who disclosed the vulnerabilities on Monday on his blog Security Pitch and stated that “at least 99.88%” of all topic links and all domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks. Jing says he informed About.com about the vulnerabilities in October, 2014 but failed to elicit any response from the administrators or the security team of About.com.  He waited fro three months only to find that the vulnerabilities are still not patched.  He stated while making the disclosure, “Until now, they are still unpatched.” In addition to the XSS and XSF vulnerabilities a new “Open Redirect” vulnerability related to about.com is introduced.  Jing says that since About.com is a trusted domain and used by many other websites, the vulnerabilities can be used to perform ‘Covert Redirect’ attacks to other websites. The XSF or the Iframe Injection vulnerability can be used for Denial of service against other websites.  Jing said, “For the Iframe Injection vulnerabilities, can be used to do DOS (Denial-of-Service Attack) to other websites, too.” A video of the Proof of Concept is given below : https://www.youtube.com/watch?v=hx_sdDmSkg0