COMMAND

	Citibank C2IT.com allows cross site scripting

SYSTEMS AFFECTED

	Current C2IT.com web site as of January 8th 2002

PROBLEM

	In devitry\'s advisory [http://www.devitry.com/c2it-security.html] :
	

	CitiBank\'s online cash site, C2IT.com, has substantial  vulnerabilities
	to Cross Site Scripting. The site is similar to PayPal in that  it  lets
	users attach Bank and Credit Card account to this online  system.  Users
	can then \"send\" cash to any user via their  email  address.  The  site
	leaves nearly every  form  field  unfiltered.  The  site  also  displays
	credit card numbers, bank account  numbers,  security  codes  and  other
	data with no obfuscation. This info  is  then  available  to  javascript
	through cross site scripting. Citibank was notified 4 months  ago  about
	problems with their sites and many times since, however,  no  noticeable
	actions have been taken yet.
	  

	This alert documents two sample  attacks:  -Gaining  access  to  user\'s
	credit card and bank account numbers -Scripting cash  transfers  out  of
	users accounts
	 

	1 -- Alert User\'s Account Numbers (Credit Card / Bank account)

	

	Bank and Credit Card account numbers that  are  attached  to  the  users
	C2IT account are hidden in the SendCash  form.  The  are  accessible  by
	javascript and by Cross Site Scripting. This code can be passed  to  the
	ACCOUNT input variable and escaped by \"> .. The script sets a time  out
	so that the full form can load. It  then  access  the  SRC_ACCOUNT  form
	field which has an array of bank/credit card numbers in it.
	

	Page Location:  https://www.c2it.com/C2IT/SendCash

	  

	Vulnerable Variable:  AMOUNT

	

	Pre-Req:  User must be logged it and have attached account.

	 

	Sample Script:  

	  <script>

	    setTimeout(\"alert(document.forms[0].SRC_ACCOUNT.options[1].value)\", 400);

	  </script>

	

	Additional info: The whole list of account  numbers  could  be  sent  to
	another site using document.location. The credit  card  expiration  date
	and 3 digit security code(!!!) are on the edit account nickname page.
	

	2 -- Automatically Transfer Cash out of Account.

	

	Forms and actions on the site can be scripted  through  the  Cross  Site
	Scripting hole. One thing to script is the Send Cash function that  lets
	one send money to any email address.  This  script  populates  the  send
	cash form with email address and amount to send. (source  account  could
	also be selected, by default it comes out of C2IT account).  The  script
	then confirms the action.
	  

	Page Location:  https://www.c2it.com/C2IT/SendCash

	  

	Vulnerable Variable:  AMOUNT

	

	Pre-Req:  User must be logged it and have cash or credit card attached.

		 

	Sample Script:  

	 <script>

	   w=window.open(\"SendCash\", \"s\",\"\");

	   setTimeout(\"f=w.document.forms[0];f.DEST_EMAIL.value=\'u@you.com\';

	   f.AMOUNT.value=10;f.submit();\",15000);

	   setTimeout(\"w.document.forms[0].submit();\", 15000);

	 </script>

	

	This could also be called from a dozen other pages /  variables  of  the
	site.
	

	3 -- Covering your tracks

	

	A full attack may include ways  to  mask  actions  that  have  occurred.
	C2IT\'s transaction history page can also be corrupted with non  escaped
	HTML characters. In the above transfer simply adding some HTML to the  NOTE_TO_SELF
	field would show up on the users  transaction  history  log  in  an  \"A
	HREF\"! A simple \"> escape that, and html  could  be  used  to  obscure
	other info on the page.  HTML code is left to your imagination.

SOLUTION

	Web site should be updated soon