Faulty Flash app brings XSS to Content Management Systems

More websites may be exposed to attack following a Ukrainian security researcher's discovery of a cross-site scripting vulnerability in a widespread Flash application. This week, the researcher announced two more content management systems which use insecure versions of the affected Flash file.

Earlier this year, the author also claimed to have found a similar vulnerability in Flash files used by tag cloud plugins for WordPress, Joomulus, JVClouds3D, Joomla and Blogumus.

Eugene Dokukin, posting as MustLive, noted this week that the same problem also affects the Cumulus tag cloud widget for BlogEngine.NET and Kasseler CMS.

The vulnerability allows arbitrary HTML tags to be injected into the tagcloud.swf Flash application. This makes it possible to inject malign JavaScript into the Flash application, although this can only be executed if a victim clicks on the injected content:


If an attacker is able to convince someone to click on the Flash application, the injected JavaScript would be able to run in the context of the site hosting the Flash application. This could be particularly harmful for content management systems, potentially allowing an attacker to launch cross-site request forgery attacks, or even propagate XSS worms through comments or blog posts.

A simple Google search returns many websites which use vulnerable versions of the Flash tag cloud application. Netcraft provides a range of security testing services to identify and eliminate vulnerabilities such as cross-site scripting.

May 2010 Web Server Survey

In the May 2010 survey we received responses from 206,026,787 sites.

Four of the five major web servers gained hostnames since last month. Google lost for the second month in a row with a drop of 1.4M hostnames, predominantly caused by expired sites in its blogging system.

Although Microsoft served 780K more hostnames this month, it actually lost 235K active sites. As with Google, this was due to a significant loss of blogging sites.

The biggest change this month was a 1.9M increase in hostnames served using Apache. The largest contributor to this was a growth of 561K sites by Next Dimension Inc, but the majority of this consisted of parked sites on a single IP address.

Rackspace recently reported that cloud computing sales were predicted to hit £8.5 billion ($12.6 bn) by 2014. Netcraft has seen significant growth in this sector. The number of sites hosted on Amazon EC2 increased for the eighth month in a row. There were 365K Amazon cloud sites in this month's survey, a growth of 33% since December 2009.

One of the busiest sites hosted on Amazon EC2 as determined by visits from the Netcraft Toolbar is www.farmville.com. With over 75 million users, Farmville is a game available through Facebook in which players can grow crops and raise livestock.

Total Sites Across All Domains
August 1995 - May 2010

Total Sites Across All Domains, August 1995 - May 2010

Market Share for Top Servers Across All Domains
August 1995 - May 2010

Graph of market share for top servers across all domains, August 1995 - May 2010

DeveloperApril 2010PercentMay 2010PercentChange
Continue reading

Most Reliable Hosting Company Sites in April 2010

Rank Company site OS Outage
DNS Connect First
1 DataPipe FreeBSD 0:00:00 0.015 0.031 0.027 0.057 0.083
2 GoDaddy.com Inc Windows Server 2003 0:00:00 0.023 0.161 0.092 0.196 0.781
3 New York Internet FreeBSD 0:00:00 0.027 0.106 0.051 0.113 0.312
4 iWeb Technologies Linux 0:00:00 0.031 1.187 0.063 0.127 0.127
5 www.dinahosting.com Linux 0:00:00 0.031 0.178 0.128 0.256 0.256
6 www.navisite.com Linux 0:00:00 0.035 0.353 0.102 0.683 0.896
7 www.netcetera.co.uk Windows Server 2003 0:00:00 0.039 0.084 0.050 0.107 0.212
8 Virtual Internet Linux 0:00:00 0.039 0.173 0.054 0.162 0.329
9 ServInt Linux 0:00:00 0.039 0.162 0.063 0.146 0.331
10 www.acens.com Linux 0:00:00 0.046 0.298 0.129 0.440 0.845

See full table

The most reliable hosting company site in April was DataPipe, once again responding to all but four of Netcraft's requests.

DataPipe provides custom managed hosting solutions for businesses with complex Internet facing infrastructures with over 1,000 customers in seven data centres across the United States, Europe and China.

The second most reliable hosting company site in April was GoDaddy, responding to all but six of Netcraft's requests.

GoDaddy is the world's largest domain name registrar, managing more than 40 million domains.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

Further information on the measurement process and current measurements are available.

Inside a 419 scam site

Most of us have received a 419 scam in our mailbox at some time or another. Forming part of what is also known as an advance-fee fraud, these emails typically ask the recipient for their help in transferring a large amount of money from a foreign bank account. In return for their assistance, the recipient is purportedly allowed to keep a significant cut of the proceeds.

There are often some inventive background stories behind the origin of monies — some may involve a government or bank employee who is aware of a large amount of unclaimed money that they themselves cannot access directly. Other common ruses are wealthy foreigners dying in a plane crash shortly after depositing lots of money in a bank, or even a dictator who has built up a fortune in stolen assets.

Most of us are wise enough to ignore these emails; indeed, many are filtered away as spam before they even get a chance to be read. But what happens when someone falls for this first part of a 419 scam? After the victim responds to the fraudster, how does he prove that the money really exists?

In the case of the fictitious bank employee and his bank's unclaimed fortune, one obvious 'proof' is to supply the unwitting victim with the online banking username and password. The victim can then log in to the online banking site and verify that there is, apparently, a lot of money in the pot.

Of course, the online banking site is entirely fake and does not contain any real money; nor does it really allow the money to be transfered to other bank accounts.

A closer look at a real scam site

Every now and then, we stumble upon a scam site that reveals more information than the fraudster intended. Sometimes this is caused by a configuration oversight, but more often than not, this is simply caused by limitations in the free hosting platform or compromised web space selected by the fraudster.

The Asterx Standard Bank is well documented as a 419 scam site. One of its many instantiations was placed onto a free 50webs hosting account, but the fraudster forgot to create an index page. If it wasn't already obvious from the poor web design effort, this makes it rather obvious that the site is fake:


Each webpage on this 419 site is a static HTML file, several of which display fake account details. None of these pages requires authentication, which is clearly something to be suspicious of.

This is the page that the fraudster really wanted you to see, of course:


To add a bit of credibility to the fake login page, it even produces a popup window, warning the victim about identify theft:


After logging in with the top-secret credentials supplied to you by the fraudster (which are of course unnecessary — any username and password will let you in), the account status page shows that the bank account does indeed contain a very healthy balance! Also note the unauthorised use of the VeriSign logo, in an attempt to add some further credibility to the fraudulent site:


By this stage, the fraudster hopes you'll be totally convinced that the money is real. Perhaps convinced enough to transfer the money to your own bank account within 24 hours:


Naturally, transferring such a large amount of money can take a while. This is an ideal moment to slip in a progress bar:


Even the most gullible victim would probably wait for the money to arrive in their account before forwarding a percentage of it on to the fraudster, so how does the fraudster expect to make money?

The fake online banking application informs the victim that the account is on "de-active" mode, and a "Presidential Clean Source of Funds Clearance" is required in order to reactivate the account and have full access to transfer funds:


Undoubtedly, the fraudster will be able to offer the necessary funds clearance document — in exchange for an advance fee, of course. Although this fee may seem very small in comparison to the 8 million dollars at stake, the prospect of getting access to those 8 million dollars could very well blinker a victim into going along with the whole implausible scheme. This is likely to result in the loss of their advance fee, and perhaps anything else the fraudster can coax out of them.

False Start for Cyber Security Challenge?

A cross-site scripting vulnerability has been uncovered on the Cyber Security Challenge UK website, before the site has even been made ready for candidates to register.

Ironically, the programme has been established by a management consortium of key figures in cyber security, and is designed to identify and nurture the UK's future cyber security workforce.

The simple coding error was demonstrated a short while ago by James Wheare. It is not clear whether this security vulnerability is part of the challenge, but we suspect not.

Mr Wheare told Netcraft that he was prompted to look for the hole after reading a friend's tweet, and noticed insufficient encoding in the page's <title> and <h2> tags.

Users of the Netcraft Toolbar are protected against cross-site scripting (XSS) attacks like these, which could otherwise be used to launch cross-site request forgery (CSRF) attacks, modify the content of pages on the Cyber Security Challenge website, or steal session identifiers from victims.


Netcraft also provides a comprehensive range of internet security services which identify vulnerabilities such as cross-site scripting in web applications. Netcraft has informed Cyber Security Challenge UK about the vulnerability.

April 2010 Web Server Survey

In the April 2010 survey we received responses from 205,368,103 sites — a slight fall in the number of sites found.

Three of the five major web servers lost hostnames compared to last month. The two servers to gain sites in the April survey are Microsoft, with over half a million more sites than in March, and nginx with just over 300k new sites. For nginx this reverses the trend of the last three months, when it lost sites due to stale WordPress blogs being expired from the survey.

The survey results this month also show how Chile's internet infrastructure has been affected by the earthquakes which hit the country at the end of February and beginning of March. The two major earthquakes had magnitudes of 8.8 and 6.9 respectively and it is estimated that they took out up to 60% of networks. Despite the scale of the disaster, the number of hostnames seen in Chile this month fell by only 12%.

Total Sites Across All Domains
August 1995 - April 2010

Total Sites Across All Domains, August 1995 - April 2010

Market Share for Top Servers Across All Domains
August 1995 - April 2010

Graph of market share for top servers across all domains, August 1995 - April 2010

DeveloperMarch 2010PercentApril 2010PercentChange
Continue reading