按月存檔:六月 2015

eBay Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

留言

ebay-logo

eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:
ebay.com



“eBay Inc. (stylized as ebay, formerly eBay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries.

 

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now" shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services." (Wikipedia)

 



(2) Vulnerability Description:

eBay web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability occurs at “ebay.com/rover” page with “&mpre” parameter, i.e.

http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://www.google.com

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


 

 

 

(2.1) When a user is redirected from eBay to another site, eBay will check whether the redirected URL belongs to domains in eBay’s whitelist, e.g.
google.com

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from eBay to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from eBay directly.

 

One of the vulnerable domain is,
http://googleads.g.doubleclick.net (Google’s Ad system)

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. We can suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

Poc Video:
https://www.youtube.com/watch?v=a4H-u17Y9ks

 

Blog Detail:
http://securityrelated.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html



 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

留言

go

 

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

 

 

 

(1) WebSite:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results.

 

The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy." (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability exists at “Logout?" page with “&continue" parameter, i.e.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

(2.1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net

 

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

 

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google’s Ad System)

 

 

 

(2.2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.

Blog Detail:
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

 

 

 

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

 

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html
http://seclists.org/fulldisclosure/2014/Nov/29
http://cxsecurity.com/issue/WLB-2014110106
http://tetraph.blog.163.com/blog/static/23460305120141145350181/
https://infoswift.wordpress.com/2014/05/25/google-web-security/
http://tetraph.tumblr.com/post/119490394042/securitypost#notes
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html
http://webtech.lofter.com/post/1cd3e0d3_706af10
https://twitter.com/tetraphibious/status/559165319575371776
http://tetraph.com/security/covert-redirect/google-based-on-googleads-g-doubleclick-net/
http://www.inzeed.com/kaleidoscope/computer-security/google-covert-g-doubleclick-net/
https://hackertopic.wordpress.com/2014/05/25/google-web-security/

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

留言
 
 

GTY_email_hacker_dm_130718_16x9_608

 

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 

 

Domain Description:
http://www.weather.com/

 

“The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather. Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather."

 

“As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives." (Wikipedia)

 

 

 

 

Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.

 

Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel’s URLs. Then the scripts will be executed.

 

10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.

 

The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes.

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

 

weather_1_xss

 
 

weather_2_xx

 

 

POC Codes, e.g.

http://www.weather.com/slideshows/main/“–/>"><img src=x onerror=prompt(‘justqdjing’)>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22–/“–/>"><img src=x onerror=prompt(‘justqdjing’)>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/“><img src=x onerror=prompt(‘justqdjing’)>

 

 

The Weather Channel has patched this Vulnerability in late November, 2014 (last Week). “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.

 

 

 

Discovered by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Nov/89
http://lists.openwall.net/full-disclosure/2014/11/27/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1253
https://progressive-comp.com/?l=full-disclosure&m=141705578527909&w=1
http://whitehatview.tumblr.com/post/104313615841/the-weather-channel-flaw
http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-exploit
http://diebiyi.com/articles/security/the-weather-channel-bug
http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8
https://vulnerabilitypost.wordpress.com/2014/12/04/the-weather-channel-flaw
http://tetraph.blog.163.com/blog/static/234603051201411475314523/
http://tetraph.blogspot.com/2014/12/the-weather-channel-xss.html
http://ithut.tumblr.com/post/121916595448/weather-channel-xss
https://mathfas.wordpress.com/2014/12/04/the-weather-channel-weather-bug
http://computerobsess.blogspot.com/2014/12/the-weather-channel-xss.html
http://www.tetraph.com/blog/xss-vulnerability/the-weather-channel-bug

 

 

 

The New York Times Old Articles Can Be Exploited by XSS Attacks (Almost all Article Pages Before 2013 Are Affected)

留言

 
 

binary_data_illustratio_450

 

Domain:
http://www.nytimes.com/

 

“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady", The New York Times is long regarded within the industry as a national “newspaper of record". It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times. The paper’s motto, “All the News That’s Fit to Print", appears in the upper left-hand corner of the front page." (Wikipedia)

 

 

 

(1) Vulnerability Description:

The New York Times has a computer cyber security problem. Hacker can exploit its users by XSS bugs.

 

The code program flaw occurs at New York Times’s URLs. Nytimes (short for New York Times) uses part of the URLs to construct its pages. However, it seems that Nytimes does not filter the content used for the construction at all before 2013.

 

Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All pages of articles). In fact, all article pages that contain “PRINT” button, “SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.

 

Nytimes changed this mechanism since 2013. It decodes the URLs sent to its server. This makes the mechanism much safer now.

 

However, all URLs before 2013 are still using the old mechanism. This means almost all article pages before 2013 are still vulnerable to XSS attacks. I guess the reason Nytimes does not filter URLs before is cost. It costs too much (money & human capital) to change the database of all posted articles before.

 

 

nytimes_2010_xss

 

nytimes_2011_xss

 

 

 

 

Living POCs Codes:

http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2011/01/09/travel/09where-to-go.html//’ “><img src=x onerror=prompt(/justqdjing/)>?pagewanted=all&_r=0

http://www.nytimes.com/2010/12/07/opinion/07brooks.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2009/08/06/technology/06stats.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2008/07/09/dining/091crex.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2007/11/14/opinion/lweb14brain.html//’ “><img src=x onerror=prompt(/justqdjing/)>

 

 

 

(2) Vulnerability Analysis:
Take the following link as an example,
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“><vulnerabletoattack

 

It can see that for the page reflected, it contains the following codes. All of them are vulnerable.

 

<li class=”print”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=print”>Print</testtesttest?pagewanted=print”></a>

</li>

 

<li class=”singlePage”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><testtesttest?pagewanted=all”> Single Page</vulnerabletoattack?pagewanted=all”></a>

</li>

 

<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum2′);” title=”Page 2″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>2</testtesttest?pagewanted=2″></a>

</li>

 

<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum3′);” title=”Page 3″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=3″>3</testtesttest?pagewanted=3″></a>

</li>

 

<a class=”next” onclick=”s_code_linktrack(‘Article-MultiPage-Next’);” title=”Next Page” href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>Next Page »</testtesttest?pagewanted=2″></a>

 

 

 

 

(3) What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

 

“Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet." (Acunetix)

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://lists.openwall.net/full-disclosure/2014/10/16/2
http://www.tetraph.com/blog/xss-vulnerability/new-york-times-xss
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1102
http://webcabinet.tumblr.com/post/121907302752/new-york-times-xss
http://www.inzeed.com/kaleidoscope/xss-vulnerability/new-york-times-xss
https://progressive-comp.com/?l=full-disclosure&m=141343993908563&w=1
http://webtech.lofter.com/post/1cd3e0d3_6f57c56
http://tetraph.blog.163.com/blog/static/2346030512014101270479/
https://vulnerabilitypost.wordpress.com/2014/11/01/new-york-times-xss
http://lifegrey.tumblr.com/post/121912534859/tous-les-liens-vers-les-articles
http://securityrelated.blogspot.com/2014/10/new-york-times-design.html
https://mathfas.wordpress.com/2014/11/01/new-york-times-xss
http://computerobsess.blogspot.com/2014/10/new-york-times-design.html
http://whitehatview.tumblr.com/post/103788276286/urls-to-articles-xss
http://diebiyi.com/articles/security/xss-vulnerability/new-york-times-xss

 

 

 

Mozilla Online Website Two Sub-Domains XSS (Cross-site Scripting) Bugs ( All URLs Under the Two Domains)

留言

6864_cTAUHWda_o-600x401

 

 

Domains:
http://lxr.mozilla.org/
http://mxr.mozilla.org/
(The two domains above are almost the same)

 

Websites information:
“lxr.mozilla.org, mxr.mozilla.org are cross references designed to display the Mozilla source code. The sources displayed are those that are currently checked in to the mainline of the mozilla.org CVS server, Mercurial Server, and Subversion Server; these pages are updated many times a day, so they should be pretty close to the latest‑and‑greatest." (from Mozilla)

“Mozilla is a free-software community which produces the Firefox web browser. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the Mozilla Foundation and its tax-paying subsidiary, the Mozilla Corporation. In addition to the Firefox browser, Mozilla also produces Thunderbird, Firefox Mobile, the Firefox OS mobile operating system, the bug tracking system Bugzilla and a number of other projects." (Wikipedia)

 

 

 

(1) Vulnerability description:
Mozilla website has a computer cyber security problem. Hacker can attack it by XSS bugs. Here is the description of XSS: “Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet." (Acunetix)

 

 

All pages under the following two URLs are vulnerable.
http://lxr.mozilla.org/mozilla-central/source
http://mxr.mozilla.org/mozilla-central/source

This means all URLs under the above two domains can be used for XSS attacks targeting Mozilla’s users.

Since there are large number of pages under them. Meanwhile, the contents of the two domains vary. This makes the vulnerability very dangerous. Attackers can use different URLs to design XSS attacks to Mozilla’s variety class of users.

 

 

mozilla_lxr_2_xss

 
 

mozilla_mxr_1_xss

 

 

 

POC Codes:

http://lxr.mozilla.org/mozilla-central/source/<body onload=prompt(“justqdjing")>

http://mxr.mozilla.org/mozilla-central/source/<body onload=prompt(“justqdjing")>

http://mxr.mozilla.org/mozilla-central/source/webapprt/<body onload=prompt(“justqdjing")>

 

(2) Vulnerability Analysis:
Take the following link as an example,
http://lxr.mozilla.org/mozilla-central/source/chrome/<attacktest&gt;

In the page reflected, it contains the following codes.

<a href="/mozilla-central/source/chrome/%253Cattacktest%253E">

<attacktest></attacktest>

</a>

If insert “<body onload=prompt(“justqdjing")>" into the URL, the code can be executed.

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

 

 

(3) Vulnerability Disclosure:
The vulnerability have been reported to bugzilla.mozilla.org. Mozilla are dealing with this issue.

 


Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

More Details:
http://lists.openwall.net/full-disclosure/2014/10/20/8
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://seclists.org/fulldisclosure/2014/Oct/92
http://www.tetraph.com/blog/xss-vulnerability/mozilla-xss
http://whitehatview.tumblr.com/post/101466861221/mozilla-mozilla
http://tetraph.blog.163.com/blog/static/2346030512014101115642885/
http://computerobsess.blogspot.com/2014/10/mozilla-mozillaorg-two-sub-domains.html
https://tetraph.wordpress.com/2014/11/26/mozilla-two-sub-domains-xss
http://tetraph.blogspot.com/2014/10/mozilla-mozillaorg-two-sub-domains.html
http://itsecurity.lofter.com/post/1cfbf9e7_54fc68f
http://whitehatview.tumblr.com/post/103540568486/two-of-mozillas-cross
http://diebiyi.com/articles/security/xss-vulnerability/mozilla-xss
http://www.inzeed.com/kaleidoscope/xss-vulnerability/mozilla-xss
https://mathfas.wordpress.com/2014/11/01/mozilla-xss
http://www.tetraph.com/blog/xss-vulnerability/mozilla-xss
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1121

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks

留言

 
 
Secure website



(1) Domain Description:
http://www.indiatimes.com

“The Times of India (TOI) is an Indian English-language daily newspaper. It is the third-largest newspaper in India by circulation and largest selling English-language daily in the world according to Audit Bureau of Circulations (India). According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership. It is owned and published by Bennett, Coleman & Co. Ltd. which is owned by the Sahu Jain family. In the Brand Trust Report 2012, Times of India was ranked 88th among India’s most trusted brands and subsequently, according to the Brand Trust Report 2013, Times of India was ranked 100th among India’s most trusted brands. In 2014 however, Times of India was ranked 174th among India’s most trusted brands according to the Brand Trust Report 2014, a study conducted by Trust Research Advisory." (en.Wikipedia.org)

 

 

 

(2) Vulnerability description:

The web application indiatimes.com online website has a security problem. Hacker can exploit it by XSS bugs.

 

The code flaw occurs at Indiatimes’s URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes’s “photogallery" and “top-llists" topics are affected.

Indiatimes uses part of the links under “photogallery" and “top-llists" topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (12.04) and Microsoft IE (9.0.15) in Windows 7.

 

 

indiatimes_xss_2

 

indiatimes_xss1

 

 

POC Codes:

http://www.indiatimes.com/photogallery/“>homeqingdao<img src=x onerror=prompt(‘justqdjing’)>

http://www.indiatimes.com/top-lists/“>singaporemanagementuniversity<img src=x onerror=prompt(‘justqdjing’)>

http://www.indiatimes.com/photogallery/lifestyle/“>astar<img src=x onerror=prompt(‘justqdjing’)>

http://www.indiatimes.com/top-lists/technology/“>nationaluniversityofsingapore<img src=x onerror=prompt(‘justqdjing’)>

 

 

 

 

What is XSS?

“Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." (OWASP)

 

 

 

(3) Vulnerability Disclosure:

The vulnerabilities were reported to Indiatimes in early September, 2014. However they are still unpatched.

Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2014/Nov/91
http://lists.openwall.net/full-disclosure/2014/11/27/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1256
https://progressive-comp.com/?l=full-disclosure&m=141705615327961&w=1
http://tetraph.blog.163.com/blog/static/234603051201501352218524/
https://cxsecurity.com/issue/WLB-2014120004
https://mathfas.wordpress.com/2014/12/04/all-links-in-two-topics-of-indiatimes
http://diebiyi.com/articles/security/all-links-in-two-topics-of-indiatimes
http://www.inzeed.com/kaleidoscope/computer-security/all-links-in-two-topics
http://itsecurity.lofter.com/post/1cfbf9e7_54fc6c9
http://computerobsess.blogspot.com/2014/12/all-links-in-two-topics-of-indiatimes.html
https://vulnerabilitypost.wordpress.com/2014/12/04/indiatimes-xss
http://whitehatview.tumblr.com/post/104310651681/times-of-india-website
http://www.tetraph.com/blog/computer-security/all-links-in-two-topics-xss

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

留言

6kbbs_4

 

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

 

Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]

CVE Reference: *

CXSecurity Reference: WLB-2015040034

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

Suggestion Details:



(1) Vendor & Product Description:



Vendor:

6kbbs

 

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

 

Vendor URL & download:

6kbbs can be gain from here,

http://www.6kbbs.com/download.html

http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/

 

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user’s preferred utility functions."

“1, using XHTML + CSS architecture, so that the structure of the page, saving transmission static page code, but also easy to modify the interface, more in line with WEB standards; 2, the Forum adopted Cookies, Session, Application and other technical data cache on the forum, reducing access to the database to improve the performance of the Forum. Can carry more users simultaneously access; 3, the data points table function, reduce the burden on the amount of data when accessing the database; 4, support for multi-skin style switching function; 5, the use of RSS technology to support subscriptions forum posts, recent posts, user’s posts; 6, the display frame mode + tablet mode, the user can choose according to their own preferences to; 7. forum page optimization keyword search, so the forum more easily indexed by search engines; 8, extension, for our friends to provide a forum for a broad expansion of space services; 9, webmasters can add different top and bottom of the ad, depending on the layout; 10, post using HTML + UBB way the two editors, mutual conversion, compatible with each other; …"

 

 

 

(2) Vulnerability Details:

6kbbs web application has a computer cyber security bug problem. It can be exploited by CSRF (Cross-Site Request Forgery) attacks. This may allow an attacker to trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a separate CSRF attack or possibly other means, and executed in the context of their session with the application, without further prompting or verification.

Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to csrf vulnerabilities.

 

(2.1) The first code programming flaw occurs at “/portalchannel_ajax.php?" page with “&id" and &code" parameters in HTTP $POST.

(2.2) The second code programming flaw occurs at “/admin.php?" page with “&fileids" parameter in HTTP $POST.

 

 

 

 

Related Articles:
http://cxsecurity.com/issue/WLB-2015040034
http://lists.openwall.net/full-disclosure/2015/04/05/7
http://www.intelligentexploit.com/view-details.html?id=21071
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
https://www.mail-archive.com/fulldisclosure@seclists.org/msg01902.html
http://seclists.org/fulldisclosure/2015/Apr/13
http://www.tetraph.com/security/csrf-vulnerability/6kbbs-v8-0-csrf
http://essayjeans.blog.163.com/blog/static/237173074201551435316925/
https://itinfotechnology.wordpress.com/2015/04/14/6kbbs-crsf/
http://frenchairing.blogspot.fr/2015/06/6kbbs-crsf.html
http://tetraph.blog.163.com/blog/static/234603051201551444917365/
http://diebiyi.com/articles/security/6kbbs-v8-0-csrf
http://securityrelated.blogspot.com/2015/04/6kbbs-v80-multiple-csrf-cross-site.html
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-multiple-csrf
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-csrf

 

 

 

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

留言

netcat_4

 

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

 

Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Improper Input Validation [CWE-20]

CVE Reference: *

OSVDB Reference: 120807

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 



Advisory Details:



(1) Vendor & Product Description:


Vendor:

NetCat

 

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be downloaded from here,

http://netcat.ru/

 

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags." It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.

 

(2.1) The programming code flaw occurs at “/catalog/search.php?" page with “&q" parameter.

 

 

 

 

Related Articles:
http://www.osvdb.org/show/osvdb/120807
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1843
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01922.html
http://cxsecurity.com/search/author/DESC/AND/FIND/1/10/Wang+Jing/
https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=1
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/242232054201551434123334/
http://russiapost.blogspot.ru/2015/06/netcat-html-injection.html
https://inzeed.wordpress.com/2015/04/21/netcat-html-injection/
http://computerobsess.blogspot.com/2015/06/osvdb-120807.html
http://blog.163.com/greensun_2006/blog/static/11122112201551434045926/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html/
http://germancast.blogspot.de/2015/06/netcat-html-injection.html
http://diebiyi.com/articles/security/netcat-cms-3-12-html-injection/

 

 

 

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

留言

netcat_1

 

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

 

Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: March 07, 2015

Latest Update: March 07, 2015

Vulnerability Type: Improper Neutralization of CRLF Sequences (‘CRLF Injection’) [CWE-93]

CVE Reference: *

OSVDB Reference: 119342, 119343

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

Advisory Details:



(1) Vendor & Product Description:



Vendor:

NetCat

 

Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be got from here,

http://netcat.ru/

 

Product Introduction:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at “/post.php" page with “redirect_url" parameter by adding “%0d%0a%20″.

(2.2) The second code flaw occurs at “redirect.php?" page with “url" parameter by adding “%0d%0a%20″.

 

 

 

 

Reference:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

留言

6kbbs_1
Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

 

Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: June 08, 2015

Latest Update: June 10, 2015

Vulnerability Type: Inadequate Encryption Strength [CWE-326]

CVE Reference: *

CVSS Severity (version 2.0):

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

Recommendation Details:



(1) Vendor & Product Description:

Vendor:

6kbbs

 

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

 

Vendor URL & download:

6kbbs can be gain from here,
http://www.6kbbs.com/download.html

 

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user’s preferred utility functions. Forum Technical realization (a) interface : using XHTML + CSS structure, so the structure of the page , easy to modify the interface ; save the transmission static page code , greatly reducing the amount of data transmitted over the network ; improve the interface scalability , more in line with WEB standards, support Internet Explorer, FireFox, Opera and other major browsers. (b) Program : The ASP + ACCESS mature technology , the installation process is extremely simple , the environment is also very common."

 

“(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b) Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent community forum process . The program is simple but not simple ; fast , small ; interface generous and good scalability ; functional and practical . pursue superiority , good interface , practical functions of choice for subscribers."

 

 

 

(2) Vulnerability Details:

 

6kbbs web application has a computer security problem. It can be exploited by weak encryption attacks. The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

 

Several 6kbbs products 0-day web cyber bugs have been found by some other bug hunter researchers before. 6kbbs has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the web securities have been published here.

 

Source Code:

<?php

if(empty($row)){

$extrow=$db->row_select_one(“users","username='{$username}'");

if(!empty($extrow) && !empty($extrow[‘salt’])){

if(md5(md5($userpass).$extrow[‘salt’])==$extrow[‘userpass’]){

$row=$extrow;

$new_row[“userpass"]=$userpass_encrypt;

$new_row[“salt"]="";

$db->row_update(“users",$new_row,"id={$extrow[‘id’]}");

}

}

}

?>

 

 

Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16

 

We can see that “userpass" stored in cookie was encrypted using “$userpass" user password directly. And there is no “HttpOnly" attribute at all. Since md5 is used for the encryption, it is easy for hackers to break the encrypted message.

 

“The MD5 message-digest cryptography algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. Papers about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile, researchers focusing on it spread in Computer Science, Computer Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. The source code in RFC 1321 contains a “by attribution" RSA license." (Wikipedia)

 

 

 

 

References:
http://seclists.org/fulldisclosure/2015/Jun/34
http://lists.openwall.net/full-disclosure/2015/06/11/6
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02160.html
https://packetstormsecurity.com/files/132270/6kbbs-7.1-8.0-Weak-Cryptography.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2092
http://tetraph.blog.163.com/blog/static/234603051201551415853846/#
https://mathfas.wordpress.com/2015/06/14/6kbbs-weak-encryption/
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://vulnerabilitypost.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/
http://www.inzeed.com/kaleidoscope/computer-security/6kbbs-v8-0-weak-encryption/