The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 
 

GTY_email_hacker_dm_130718_16x9_608

 

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 

 

Domain Description:
http://www.weather.com/

 

“The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather. Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather.”

 

“As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives.” (Wikipedia)

 

 

 

 

Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.

 

Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel’s URLs. Then the scripts will be executed.

 

10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.

 

The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes.

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

 

weather_1_xss

 
 

weather_2_xx

 

 

POC Codes, e.g.

http://www.weather.com/slideshows/main/“–/>”><img src=x onerror=prompt(‘justqdjing’)>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22–/“–/>”><img src=x onerror=prompt(‘justqdjing’)>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/“><img src=x onerror=prompt(‘justqdjing’)>

 

 

The Weather Channel has patched this Vulnerability in late November, 2014 (last Week). “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.

 

 

 

Discovered by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Nov/89
http://lists.openwall.net/full-disclosure/2014/11/27/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1253
https://progressive-comp.com/?l=full-disclosure&m=141705578527909&w=1
http://whitehatview.tumblr.com/post/104313615841/the-weather-channel-flaw
http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-exploit
http://diebiyi.com/articles/security/the-weather-channel-bug
http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8
https://vulnerabilitypost.wordpress.com/2014/12/04/the-weather-channel-flaw
http://tetraph.blog.163.com/blog/static/234603051201411475314523/
http://tetraph.blogspot.com/2014/12/the-weather-channel-xss.html
http://ithut.tumblr.com/post/121916595448/weather-channel-xss
https://mathfas.wordpress.com/2014/12/04/the-weather-channel-weather-bug
http://computerobsess.blogspot.com/2014/12/the-weather-channel-xss.html
http://www.tetraph.com/blog/xss-vulnerability/the-weather-channel-bug

 

 

 

The New York Times Old Articles Can Be Exploited by XSS Attacks (Almost all Article Pages Before 2013 Are Affected)

 
 

binary_data_illustratio_450

 

Domain:
http://www.nytimes.com/

 

“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times. The paper’s motto, “All the News That’s Fit to Print”, appears in the upper left-hand corner of the front page.” (Wikipedia)

 

 

 

(1) Vulnerability Description:

The New York Times has a computer cyber security problem. Hacker can exploit its users by XSS bugs.

 

The code program flaw occurs at New York Times’s URLs. Nytimes (short for New York Times) uses part of the URLs to construct its pages. However, it seems that Nytimes does not filter the content used for the construction at all before 2013.

 

Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All pages of articles). In fact, all article pages that contain “PRINT” button, “SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.

 

Nytimes changed this mechanism since 2013. It decodes the URLs sent to its server. This makes the mechanism much safer now.

 

However, all URLs before 2013 are still using the old mechanism. This means almost all article pages before 2013 are still vulnerable to XSS attacks. I guess the reason Nytimes does not filter URLs before is cost. It costs too much (money & human capital) to change the database of all posted articles before.

 

 

nytimes_2010_xss

 

nytimes_2011_xss

 

 

 

 

Living POCs Codes:

http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2011/01/09/travel/09where-to-go.html//’ “><img src=x onerror=prompt(/justqdjing/)>?pagewanted=all&_r=0

http://www.nytimes.com/2010/12/07/opinion/07brooks.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2009/08/06/technology/06stats.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2008/07/09/dining/091crex.html//’ “><img src=x onerror=prompt(/justqdjing/)>

http://www.nytimes.com/2007/11/14/opinion/lweb14brain.html//’ “><img src=x onerror=prompt(/justqdjing/)>

 

 

 

(2) Vulnerability Analysis:
Take the following link as an example,
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“><vulnerabletoattack

 

It can see that for the page reflected, it contains the following codes. All of them are vulnerable.

 

<li class=”print”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=print”>Print</testtesttest?pagewanted=print”></a>

</li>

 

<li class=”singlePage”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><testtesttest?pagewanted=all”> Single Page</vulnerabletoattack?pagewanted=all”></a>

</li>

 

<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum2′);” title=”Page 2″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>2</testtesttest?pagewanted=2″></a>

</li>

 

<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum3′);” title=”Page 3″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=3″>3</testtesttest?pagewanted=3″></a>

</li>

 

<a class=”next” onclick=”s_code_linktrack(‘Article-MultiPage-Next’);” title=”Next Page” href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>Next Page »</testtesttest?pagewanted=2″></a>

 

 

 

 

(3) What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

 

“Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.” (Acunetix)

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://lists.openwall.net/full-disclosure/2014/10/16/2
http://www.tetraph.com/blog/xss-vulnerability/new-york-times-xss
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1102
http://webcabinet.tumblr.com/post/121907302752/new-york-times-xss
http://www.inzeed.com/kaleidoscope/xss-vulnerability/new-york-times-xss
https://progressive-comp.com/?l=full-disclosure&m=141343993908563&w=1
http://webtech.lofter.com/post/1cd3e0d3_6f57c56
http://tetraph.blog.163.com/blog/static/2346030512014101270479/
https://vulnerabilitypost.wordpress.com/2014/11/01/new-york-times-xss
http://lifegrey.tumblr.com/post/121912534859/tous-les-liens-vers-les-articles
http://securityrelated.blogspot.com/2014/10/new-york-times-design.html
https://mathfas.wordpress.com/2014/11/01/new-york-times-xss
http://computerobsess.blogspot.com/2014/10/new-york-times-design.html
http://whitehatview.tumblr.com/post/103788276286/urls-to-articles-xss
http://diebiyi.com/articles/security/xss-vulnerability/new-york-times-xss

 

 

 

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

web INTERNET_COMPUTER_CONCEPT

 

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

 

Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Improper Input Validation [CWE-20]

CVE Reference: *

OSVDB Reference: 120807

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 



Advisory Details:



(1) Vendor & Product Description:


Vendor:

NetCat

 

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be downloaded from here,

http://netcat.ru/

 

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.

 

(2.1) The programming code flaw occurs at “/catalog/search.php?” page with “&q” parameter.

 

 

 

 

Related Articles:
http://www.osvdb.org/show/osvdb/120807
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1843
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01922.html
http://cxsecurity.com/search/author/DESC/AND/FIND/1/10/Wang+Jing/
https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=1
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/242232054201551434123334/
http://russiapost.blogspot.ru/2015/06/netcat-html-injection.html
https://inzeed.wordpress.com/2015/04/21/netcat-html-injection/
http://computerobsess.blogspot.com/2015/06/osvdb-120807.html
http://blog.163.com/greensun_2006/blog/static/11122112201551434045926/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html/
http://germancast.blogspot.de/2015/06/netcat-html-injection.html
http://diebiyi.com/articles/security/netcat-cms-3-12-html-injection/

 

 

 

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

Macro computer screen shot with binary code and password tex, great concept for computer, technology  and online security.

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities



Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.* 4.*.0.*

Tested Version: 5.*.0.* 4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Information Details:



(1) Vendor & Product Description:



Vendor:

SuperWebMailer




Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875



Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/




Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”


“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”


“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”






(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.



Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.


(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.










Related Work:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html





CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description

 

Vendor: Smartwebsites

 

Product & Version: SmartCMS v.2

 

Vendor URL & Download:

 

Product Description:
“SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

(2) Vulnerability Details:
SmartCMS v.2 has a security vulnerability. It can be exploited by SQL Injection attacks.

 

(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.

 

(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

References:

 

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description
Vendor: Smartwebsites
Product & Version: SmartCMS v.2
Vendor URL & Download:
Product Description: “SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

(2) Vulnerability Details:
SmartCMS v.2 has a security vulnerability. It can be exploited by XSS attacks.
(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.
(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

 

 

References:

 

 

 

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities
Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a 1.0b1 1.0b2
Tested Version: 0.5.2a 1.0b1 1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description
Vendor:
SnipSnap
Product & Version:
SnipSnap
0.5.2a
1.0b1
1.0b2
Vendor URL & Download:
Product Description:
“SnipSnap is a user friendly content management system with features such as wiki and weblog. “

 

(2) Vulnerability Details:
SnipSnap has a security problem. It can be exploited by XSS attacks.
(2.1) The vulnerability occurs at “snipsnap-search?” page with “query” parameter.

 

 


References:

Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities

A computer circuit board.


Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities



Domains Basics:

Alibaba Taobao, AliExpress, Tmall are the top three online shopping websites belonging to Alibaba.





Vulnerability Discover:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/




(1) Domains Descriptions:

“Taobao is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group.” (Wikipedia)

“With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)

Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).



“Launched in 2010, AliExpress.com is an online retail service made up of mostly small Chinese businesses offering products to international online buyers. It is the most visited e-commerce website in Russia” (Wikipedia)



“Taobao Mall, is a Chinese-language website for business-to-consumer (B2C) online retail, spun off from Taobao, operated in the People’s Republic of China by Alibaba Group. It is a platform for local Chinese and international businesses to sell brand name goods to consumers in mainland China, Hong Kong, Macau and Taiwan.” (Wikipedia)

 

 

(2) Vulnerability descriptions:

Alibaba Taobao AliExpress Tmall online electronic shopping website has a cyber security bug problem. It can be exploited by XSS and Covert Redirect attacks.

 

 

(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS

The vulnerability can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7.

 

 

(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS (cross site scripting) Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/justqdjing/ )-‘”;&redirect=0

POC Video:

Blog Details:




(3.2)Alibaba AliExpress Online Electronic Shopping Website (Aliexpress.com) XSS Security Vulnerabilities

The vulnerabilities occur at “landing.php?” page with “cateid” “fromapp” parameters, e.g

POC Code:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

POC Video:

Blog Details:




(3.3) Alibaba Tmall Online Electronic Shopping Website (Tmall.com) XSS Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

POC Video:

Blog Details:

 

This vulnerabilities were disclosed at Full Disclosure. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” All the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards.

 

 

(4) Alibaba Taobao(taobao.com)Covert Redirect Security Vulnerability Based on Apple.com



(4.1) Vulnerability description:

Alibaba Taobao has a security problem. It can be exploited by Covert Redirect attacks. Taobao will check whether the redirected URL belongs to domains in Taobao’s whitelist, e.g.

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Taobao directly.

In fact, Apple.com was found can be exploited by Open Redirect vulnerabilities. Those vulnerabilities details will be published in the near future.



(4.2) The vulnerability occurs at “redirect.htm?” page, with parameter “&url”, i.e.

The vulnerabilities can be attacked without user login. Tests were performed on IE (10.0) of Windows 8, Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(4.3) Use a website for the tests,the redirected webpage is “http://www.tetraph.com/blog“. Just suppose it is malicious.

Vulnerable URL:

POC Code:

Poc Video:

Blog Detail:

 

 

Those vulnerablities were reported to Alibaba in 2014 and have been patched by the security team (just checked). Name was listed in the hall of fame by Alibaba.
http://security.alibaba.com/people.htm?id=2048213134

 

 

 

 

https://www.facebook.com/websecuritiesnews/posts/802525526534286

https://www.facebook.com/permalink.php?story_fbid=841091885926189&id=767438873291491

https://infoswift.wordpress.com/2015/01/27/alibaba-xss-open-redirect/

http://tetraph.blog.163.com/blog/static/2346030512015545132356/

 

 



========================================================







阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞

 

 

域名:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 是阿里巴巴集团最大的前三家网上购物电子商务网站.

 

 

(1) 漏洞描述:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 有一个安全问题. 它容易遭受 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞攻击.

漏洞不需要用户登录,测试是基于Windows 7 的 IE (8.0. 7601) 和 Ubuntu (14.04) 的 Firefox (34.0)。

 

 

(1.1) 阿里巴巴 淘宝 线上电子购物网 (Taobao.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/tetraph/ )-‘”;&redirect=0

 

 

(1.2) 阿里巴巴 全球速卖通 在线交易平台 (aliexpress.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “mobile_325_promotion_landing.php”, 参数 “cateid” 和 “fromapp” e.g.

POC:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

 

 

(1.3) 阿里巴巴 天猫 线上电子购物网 (Tmall.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

 

 

(2) 阿里巴巴淘宝线上电子购物网(taobao.com)Covert Redirect(隐蔽重定向跳转)安全漏洞基于 苹果网站

 

 

(2.1) 漏洞描述:

阿里巴巴 淘宝购物网 有一个安全问题. 它容易遭受 Covert Redirect (Open Redirect 公开重定向) 漏洞攻击. 所有 属于 Apple.com 的 链接都在白名单内。故而如果 苹果的 网站 本身有 公开重定向问题。那么受害者相当于首先被导向到 苹果官网然后 到 有害网站。 事实上苹果网站被发现有公开重定向问题,过段时间会公布细节。

有漏洞的文件是 “redirect.htm?”, 参数 “&url”, i.e.

这个漏洞不需要用户登录。测试是基于Windows 8 的 IE (10.0) 和 Ubuntu (14.04) 的 Firefox (34.0) 及 Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit),Mac OS X Lion 10.7 的 Safari 6.1.6。

 

 

(2.2) 用一个创建的网页进行测试,这个网页是“http://www.tetraph.com/blog“。可以假定这个页面是有害的。

漏洞网址:

POC 代码:

 

这些漏洞在2014年被报告给阿里巴巴安全应急中心,到今天已被修补 (刚刚检查), 名字被列在了白帽子名单感谢表里。
http://security.alibaba.com/people.htm?id=2048213134

 

漏洞发现者:
王晶, 数学科学系 (MAS), 物理与数学科学学院 (SPMS), 南洋理工大学 (NTU), 新加坡.
http://www.tetraph.com/wangjing/

 

 

 

Des vulnérabilités pour les boutons types « S’identifier avec Facebook »

Quelques semaines seulement après la découverte du bug Heartbleed, les utilisateurs moyens comme vous et moi pourraient s’inquiéter d’un autre problème très répandu qui ne sera pas facile à réparer. Il s’agit du bug « Covert Redirect » récemment révélé par Wang Jing, un étudiant en doctorat de mathématiques à l’université de technologie de Nanyang à Singapour. Le problème a été détecté au sein des célèbres protocoles Internet OpenID et OAuth. Le premier est utilisé quand vous vous identifiez dans des sites qui utilisent vos profils Google, Facebook, LinkedIn, etc. Le deuxième est utilisé quand vous vous autorisez des sites, des applications ou des services avec Facebook/G+/etc., sans révéler pour autant votre mot de passe à ces sites externes. Ces deux protocoles sont utilisés ensemble et vous pourriez bien être en train de communiquer vos informations aux mauvaises personnes.

 

Facebook Hacker received reward for Remote code execution vulnerability


La menace

Nos amis de Threatpost ont une explication du problème plus technique ainsi qu’un lien vers la recherche originale, mais nous vous épargnerons les détails inutiles et allons vous décrire le possible scénario d’attaque et ces conséquences. Premièrement, dans le cas où un utilisateur visiterait un site d’hameçonnage qui utilise le bouton « S’identifier avec Facebook ». Un site peut ressembler de prêt à un service populaire ou se faire passer pour un tout nouveau service. Ensuite, une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur. Enfin, l’autorisation d’utiliser le profil est envoyée au mauvais site (d’hameçonnage) en utilisant une redirection incorrecte.

 

Une vraie fenêtre Facebook/G+/LinkedIn s’ouvrira, demandant à l’utilisateur de rentrer son nom d’utilisateur et son mot de passe afin d’autoriser le service à accéder au profil de l’utilisateur.

 

En fin de compte, un cybercriminel reçoit l’autorisation d’accéder au profil de la victime (jeton OAuth) avec toutes les permissions que les applications ont en général, et dans le pire des cas, avec l’habilité d’accéder aux contacts de l’utilisateur, d’envoyer des messages, etc.




Est-ce réparé ? Pas vraiment.

Cette menace ne disparaîtra pas de si tôt, car la réparation devra être aussi bien réalisée du côté du fournisseur (Facebook, LinkedIn, Google, etc.) que du côté du client (le service ou l’application externe). Le protocole OAuth est toujours en version Beta et plusieurs fournisseurs utilisent différentes mises en place qui varient selon leur habilité de contre-attaquer l’attaque mentionnée précédemment. LinkedIn est mieux positionné pour mettre en place la réparation et gère les choses de manière plus stricte en exigeant que le développeur du service externe fournisse une « liste blanche » des redirections correctes. Pour le moment, chaque application qui utilise une autorisation LinkedIn est soit sécurisée soit non fonctionnelle. Les choses sont différentes pour Facebook qui dispose malheureusement d’un très grand nombre d’applications externes et peut-être d’une version de OAuth plus ancienne. C’est pourquoi les porte-paroles de Facebook ont informé Jing que la création d’une liste blanche « n’est pas quelque chose qui pourra être mis en place à court terme ».


Il existe de nombreux autres fournisseurs qui semblent être vulnérables (regardez la photo), donc si vous vous identifiez dans certains sites en utilisant ces services, vous devez prendre des mesures.




Votre plan d’action

Pour les plus prudents, la solution infaillible serait d’abandonner l’utilisation d’OpenID et ces fameux boutons « S’identifier avec… » pendant quelques mois. Cela vous permettra peut-être également de renforcer votre confidentialité, car autoriser ces identifications sur des réseaux sociaux rend votre activité en ligne plus facile à suivre et permet à de plus en plus de sites de lire vos données démographiques de base. Pour éviter d’avoir à mémoriser différents identifiants sur tous ces sites, commencez à utiliser un gestionnaire de mots de passe efficace. La plupart des services, de nos jours, sont équipés de clients multiplateformes et de synchronisation avec le Cloud afin de garantir un accès à vos mots de passe sur tous les ordinateurs que vous possédez.

 

Néanmoins, si vous avez l’intention de continuer à utiliser l’autorisation OpenID, il n’y a pas de danger immédiat. Vous devez juste faire attention et éviter les arnaques d’hameçonnage qui commencent typiquement par un message étrange dans votre boîte de réception ou par un lien provocateur sur Facebook et autres réseaux sociaux. Si vous vous authentifiez dans un service utilisant Facebook/Google/etc., assurez-vous que vous accédez au site de ce service en tapant l’adresse manuellement ou en utilisant un marque page, et non pas le lien contenu dans vos e-mails ou votre messagerie. Vérifiez bien la barre d’adresse afin de ne pas vous rendre sur des sites louches et ne souscrivez pas de nouveaux services avec OpenID, sauf si vous êtes certain à 100% que le service est réputé et qu’il s’agit bien du bon site. De plus, nous vous conseillons d’utiliser une solution de navigation sécurisée telle que Kaspersky Internet Security – Multi-Device qui empêchera votre navigateur de visiter des endroits dangereux tels que des sites d’hameçonnage.


Il s’agit juste de mesures de précaution, que tous les utilisateurs Internet devraient prendre chaque jour, car les menaces d’hameçonnage sont très répandues et efficaces et peuvent mener à toutes sortes de pertes numériques, y compris à la perte de numéros de carte bancaire, d’identifiants de messagerie, etc. Le bug « Covert Redirect » dans OpenID et OAuth n’est qu’une raison supplémentaire de les suivre, et ce, sans exception.

 

 

 


Articles Liés:

http://blog.kaspersky.fr/des-vulnerabilites-pour-les-boutons-types-sidentifier-avec-facebook/2984/

 

 

 

 

 

Continúan los problemas: OAuth y OpenID también son vulnerables

Un nuevo fallo de seguridad amenaza Internet. En este caso se trata de Covert Redirect y ha sido descubierto por un estudiante chino en Singapur. Las empresas tienen en sus manos solucionar este problema.

 

covert_redirect_logo_tetraph

 

Cuando aún resuenan los ecos de Heartbleed y el terremoto que sacudió la red, nos acabamos de enterar que otra brecha de seguridad compromete Internet. En este caso se trata de un fallo que afecta a páginas como Google, Facebook, Microsoft, Linkedin, Yahoo, PayPal, GitHub o Mail.ru que usan estas herramientas de código abierto para autenticar a sus usuarios.

 

Este error permitiría a un atacante haga creer a un usuario que una nueva ventana que redirija a Facebook es segura cuando en realidad no lo es. Hasta aquí la técnica se parece al phishing pero lo que hace lo hace diferente es que Covert Redirect, que así se llama el nuevo exploit, usa el dominio real pero hace un bypass del servidor para conseguir la info. Lo mejor que podemos hacer cuando estemos navegando y pulsemos en un sitio que abre un pop up que nos pide logearnos en Facebook o Google es cerrar esa ventana para evitar que nos redirija a sitios sospechosos.

 

Wang Jing, estudiante de doctorado en la Universidad Técnica de Nanyang (Singapur), es quien ha descubierto la vulnerabilidad y le ha puesto nombre. El problema, según Jing, es que ni el proveedor ni la compañía quieren responsabilizarse de esta brecha ya que costaría mucho tiempo y dinero. Seguramente, ahora que se conoce el caso, las compañías se pondrán manos a la obra.

 

 

 

Artículos Relacionados: