The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

Domain Description:

http://www.weather.com/

"The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather.  Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather."

"As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives." (Wikipedia)

Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.

Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel's URLs. Then the scripts will be executed.

10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.

The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes. 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

POC Codes, e.g.

http://www.weather.com/slideshows/main/"--/>"><img src=x onerror=prompt('justqdjing')>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22--/"--/>"><img src=x onerror=prompt('justqdjing')>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/"><img src=x onerror=prompt('justqdjing')>

POC Video:

https://www.youtube.com/watch?v=Ij78WnzKB4M&feature=youtu.be

Blog Details:

http://securityrelated.blogspot.com/2014/11/the-weather-channel-weather.html

The Weather Channel has patched this Vulnerability in late November, 2014 (last Week).  "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.

Discovered by:

Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://www.tetraph.com/wangjing

More Details:

http://seclists.org/fulldisclosure/2014/Nov/89

http://lists.openwall.net/full-disclosure/2014/11/27/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1253

https://progressive-comp.com/?l=full-disclosure&m=141705578527909&w=1

http://whitehatview.tumblr.com/post/104313615841/the-weather-channel-flaw

http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-exploit

http://diebiyi.com/articles/security/the-weather-channel-bug

http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8

https://vulnerabilitypost.wordpress.com/2014/12/04/the-weather-channel-flaw

http://tetraph.blog.163.com/blog/static/234603051201411475314523/

http://tetraph.blogspot.com/2014/12/the-weather-channel-xss.html

http://ithut.tumblr.com/post/121916595448/weather-channel-xss

https://mathfas.wordpress.com/2014/12/04/the-weather-channel-weather-bug

http://computerobsess.blogspot.com/2014/12/the-weather-channel-xss.html

http://www.tetraph.com/blog/xss-vulnerability/the-weather-channel-bug

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

Domain: getpocket.com

"Pocket was founded in 2007 by Nate Weiner to help people save interesting articles, videos and more from the web for later enjoyment. Once saved to Pocket, the list of content is visible on any device — phone, tablet or computer. It can be viewed while waiting in line, on the couch, during commutes or travel — even offline. The world's leading save-for-later service currently has more than 17 million registered users and is integrated into more than 1500 apps including Flipboard, Twitter and Zite. It is available for major devices and platforms including iPad, iPhone, Android, Mac, Kindle Fire, Kobo, Google Chrome, Safari, Firefox, Opera and Windows." (From: https://getpocket.com/about)

Vulnerability Description:

Pocket has a computer cyber security bug problem. Hacker can exploit it by CSRF attacks.

 "Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application." (OWSAP)

Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Vulnerability Details:

The code programming flaw exists at "https://getpocket.com/edit/edit" page, i.e.https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

Vulnerable URL:

https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

Use a website created by me for the following tests. The website is "http://itinfotech.tumblr.com/". Suppose that this website is malicious. If it contains the following link, attackers can post any message as they like.

<a href="https://getpocket.com/edit?url=http%3A%2F%2Fmake.wordpress.org%2Fcore%2F2014%2F01%2F15%2Fgit-mirrors-for-wordpress&title=csrf test">getpocket csrf test</a> [1]

When a logged victim clicks the link ([1]), a new item will be successfully saved to his/her "Pocket" without his/her notice. An attack happens.

Poc Video:http://www.youtube.com/watch?v=Kg743VboyoU&feature=youtu.be

Blog Detail:

https://webtechwire.wordpress.com/2014/04/29/getpocket-csrf/

http://www.tetraph.com/blog/csrf-vulnerability/getpocket-csrf-vulnerability/

http://computerobsess.blogspot.com/2014/10/getpocket-csrf-vulnerability.html

http://tetraph.blog.163.com/blog/static/23460305120143201422975/

Discover and Reporter:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://www.tetraph.com/wangjing

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities


Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web  Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: April 15, 2015
Latest Update: April 15, 2015
Vulnerability Type: Improper Input Validation [CWE-20]
CVE Reference: *
OSVDB Reference: 120807
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)







Advisory Details:


(1) Vendor & Product Description:


Vendor:
NetCat



Product & Vulnerable Version:
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1



Vendor URL & Download:
NetCat can be downloaded from here,
http://netcat.ru/




Product Introduction Overview:
NetCat.ru is russian local company. "NetCat designed to create an absolute majority of the types of sites: from simple "business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data - in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."







(2) Vulnerability Details:
NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. "Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What's more, you can now subscribe to an RSS feed containing the specific tags that you are interested in - you will then only receive alerts related to those tags." It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.






(2.1) The programming code flaw occurs at "/catalog/search.php?" page with "&q" parameter.









Related Articles:
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1843
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01922.html
http://cxsecurity.com/search/author/DESC/AND/FIND/1/10/Wang+Jing/
https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=1
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/242232054201551434123334/
http://russiapost.blogspot.ru/2015/06/netcat-html-injection.html
https://inzeed.wordpress.com/2015/04/21/netcat-html-injection/
http://computerobsess.blogspot.com/2015/06/osvdb-120807.html
http://blog.163.com/greensun_2006/blog/static/11122112201551434045926/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html/
http://germancast.blogspot.de/2015/06/netcat-html-injection.html
http://diebiyi.com/articles/security/netcat-cms-3-12-html-injection/

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities


Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: March 07, 2015
Latest Update: March  07, 2015
Vulnerability Type: Improper Neutralization of CRLF Sequences ('CRLF Injection') [CWE-93]
CVE Reference: *
OSVDB Reference: 119342, 119343
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)







Advisory Details:


(1) Vendor & Product Description:


Vendor:
NetCat


Product & Version:
NetCat
5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


Vendor URL & Download:
NetCat can be got from here,
http://netcat.ru/


Product Introduction:
NetCat.ru is russian local company. "NetCat designed to create an absolute majority of the types of sites: from simple "business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data - in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."





(2) Vulnerability Details:
NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at "/post.php" page with "redirect_url" parameter by adding "%0d%0a%20".

(2.2) The second code flaw occurs at "redirect.php?" page with "url" parameter by adding "%0d%0a%20".










References:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676

http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple-http-re
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

Domain:

http://cnn.com

"The Cable News Network (CNN) is an American basic cable and satellite television channel that is owned by the Turner Broadcasting System division of Time Warner. The 24-hour cable news channel was founded in 1980 by American media proprietor Ted Turner. Upon its launch, CNN was the first television channel to provide 24-hour news coverage, and was the first all-news television channel in the United States. While the news channel has numerous affiliates, CNN primarily broadcasts from the Time Warner Center in New York City, and studios in Washington, D.C. and Los Angeles, its headquarters at the CNN Center in Atlanta is only used for weekend programming. CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories. As of February 2015, CNN is available to approximately 96,289,000 cable, satellite and, telco television households (82.7% of households with at least one television set) in the United States." (Wikipedia)

Discovered and Reported by:

Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.  (@justqdjing)

http://www.tetraph.com/wangjing/

Vulnerability Description:

CNN has a cyber security bug problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect (Unvalidated Redirects and Forwards) attacks.

Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities.

According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN's website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007.

<1> "The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites."

Figure from ehackingnews.com

At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.

Yahoo Open Redirects Vulnerabilities:

http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html

<2> CNN.com XSS hacked

http://seclists.org/fulldisclosure/2007/Aug/216

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.

(1) CNN (cnn.com) Travel-City Related Links XSS (cross site scripting) Web Security Bugs

Domain:

travel.cnn.com/

Vulnerability Description:

The programming bug flaws occur at "/city/all" pages. All links under this URL are vulnerable to XSS attacks, e.g

http://travel.cnn.com/city/all/all/washington?page=0%2C1

http://travel.cnn.com/city/all/all/tokyo/all?page=0%2C1

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

• Identity theft
• Accessing sensitive or restricted information
• Gaining free access to otherwise paid for content
• Spying on user’s web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Web application defacement
• Denial of Service attacks

The code programming flaw can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.

PoC:

http://travel.cnn.com/city/all/all/tokyo/all' /"><img src=x onerror=prompt(/justqdjing/)>

http://travel.cnn.com/city/all/all/bangkok/all' /"><img src=x onerror=prompt(/justqdjing/)>

(1.1) Poc Video:

https://www.youtube.com/watch?v=Cu47XiDV38M&feature=youtu.be

Blog Details:

http://securityrelated.blogspot.com/2014/12/cnn-cnncom-travel-city-related-links.html

(2) CNN cnn.com ADS Open Redirect Web Security Bug

Domain:

ads.cnn.com

Vulnerability Description:

The programming code flaw occurs at "event.ng" page with "&Redirect" parameter, i.e.

http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2fgoogle.com

From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

(2.1) Use the following tests to illustrate the scenario painted above.

The redirected webpage address is "http://webcabinet.tumblr.com/". Suppose that this webpage is malicious.

Vulnerable URL:

http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2fcnn.com

POC:

http://ads.cnn.com/event.ng/Type=click&FlightID=92160&AdID=125504&TargetID=1346&RawValues=&Redirect=http:%2f%2fwebcabinet.tumblr.com

Since CNN is well-known worldwide, this vulnerability can be used to do "Covert Redirect" attacks to other websites.

(2.1) Poc Video:

https://www.youtube.com/watch?v=FE8lhDvKGN0&feature=youtu.be

Blog Detail:

http://securityrelated.blogspot.com/2014/12/cnn-cnncom-ads-open-redirect-security.html

Those vulnerabilities were reported to CNN in early July by Contact from Here. But they are still not been patched yet.
http://edition.cnn.com/feedback/#cnn_FBKCNN_com

More Details:
http://seclists.org/fulldisclosure/2014/Dec/128
http://lists.openwall.net/full-disclosure/2014/12/29/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1395
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://securitypost.tumblr.com/post/107868680057/ithut-cnn-cnn-com-travel
http://ittechnology.lofter.com/post/1cfbf60d_5500df0
http://ithut.tumblr.com/post/120833062743/cnn-xss-url-redirection-bug

http://www.tetraph.com/blog/it-news/cnn-xss-url-redirect-bug/

http://tetraph.blogspot.com/2015/06/cnn-xss-redirect-bug.html

https://biyiniao.wordpress.com/2015/01/08/cnn-xss-open-redirect-bug/

http://whitehatpost.blog.163.com/blog/static/24223205420155613753998/

https://plus.google.com/u/0/+wangfeiblackcookie/posts/bFkukxiUfXK

https://www.facebook.com/permalink.php?story_fbid=674936469318135

http://diebiyi.com/articles/news/cnn-xss-url-redirect-bug/

https://twitter.com/yangziyou/status/607060937309159425

https://redysnowfox.wordpress.com/2014/12/31/cnn-xss-url-redirect-bug/

https://www.facebook.com/permalink.php?story_fbid=1043534509019886

http://whitehatpost.lofter.com/post/1cc773c8_7338196

http://securityrelated.blogspot.com/2014/12/cnn-cnncom-travel-xss-and