CNN T-Shirts and Oklahoma Criminals

CNN has a new revenue source: t-shirts with CNN headlines. And the State of Oklahoma was letting you get a pile of personal information due to bad programming.

For the t-shirt, create your own URL that looks like this:

http://www.cnn.com/tshirt/?headline=Information%20Security%20knows%20where%20you%20go!&date=1208742566000&hash=e6019d52c9d91cc8eb4e077d85751edc&return_uri=http://www.cnn.com/video/%23/video/world/2008/04/20/thatcher.prince.william.chopper.itn

Just replace the text between the “headline=” and “&date”. Space characters are the “%20” values. There seems to be a limit to the number of characters. And it doesn’t work without the return_uri value. Paste that new URL into your browser, and you’ll get your own T-shirt.

When you change the URL values, you are doing a cross-site-scripting attack. I never have liked creating links with parameter values in them. Too easy to hack the values.

Like in this story, where the Oklahoma state database of criminals can be easily hacked to add the name of your choosing to their database. I believe it’s been fixed, but one of the stories is here from the guy that found it http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx .

As for the CNN T-Shirt page, I don’t think it would be too difficult for someone to create their own form page that would have an input field for the T-shirt text, then creates the URL for the CNN t-shirt.

Leave a Reply

Name and email are required. Your email address will not be published.