The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 
 

GTY_email_hacker_dm_130718_16x9_608

 

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 

 

Domain Description:
http://www.weather.com/

 

“The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather. Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather.”

 

“As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives.” (Wikipedia)

 

 

 

 

Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.

 

Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel’s URLs. Then the scripts will be executed.

 

10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.

 

The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes.

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

 

weather_1_xss

 
 

weather_2_xx

 

 

POC Codes, e.g.

http://www.weather.com/slideshows/main/“–/>”><img src=x onerror=prompt(‘justqdjing’)>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22–/“–/>”><img src=x onerror=prompt(‘justqdjing’)>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/“><img src=x onerror=prompt(‘justqdjing’)>

 

 

The Weather Channel has patched this Vulnerability in late November, 2014 (last Week). “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.

 

 

 

Discovered by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Nov/89
http://lists.openwall.net/full-disclosure/2014/11/27/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1253
https://progressive-comp.com/?l=full-disclosure&m=141705578527909&w=1
http://whitehatview.tumblr.com/post/104313615841/the-weather-channel-flaw
http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-exploit
http://diebiyi.com/articles/security/the-weather-channel-bug
http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8
https://vulnerabilitypost.wordpress.com/2014/12/04/the-weather-channel-flaw
http://tetraph.blog.163.com/blog/static/234603051201411475314523/
http://tetraph.blogspot.com/2014/12/the-weather-channel-xss.html
http://ithut.tumblr.com/post/121916595448/weather-channel-xss
https://mathfas.wordpress.com/2014/12/04/the-weather-channel-weather-bug
http://computerobsess.blogspot.com/2014/12/the-weather-channel-xss.html
http://www.tetraph.com/blog/xss-vulnerability/the-weather-channel-bug

 

 

 

Advertisements

CVE-2014-2230 – OpenX 2.8.10 Dest Redirect Privilege Escalation Web Security Vulnerability

disavow-links-featured

 

CVE-2014-2230 – OpenX 2.8.10 Dest Redirect Privilege Escalation Web Security Vulnerability

 

Exploit Title: OpenX Dest Redirect Privilege Escalation Web Security Vulnerability

Product: OpenX

Vendor: OpenX

Vulnerable Versions: 2.8.10 and probably prior

Tested Version: 2.8.10

Advisory Publication: October 06, 2014

Latest Update: October 11, 2014

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

OpenX

 

Product & Vulnerable Versions:

OpenX

2.8.10

 

Vendor URL & Download:

Product can be obtained from here,

http://openx.com/

 

Product Introduction Overview:

OpenX is a real time advertising technology company. The company has developed an integrated technology platform that combines ad server and a real time bidding (RTB) exchange with yield optimization for advertising and digital media companies. OpenX’s Ad Exchange is not only one of the world’s largest programmatic digital advertising exchanges. It’s the best performing marketplace with the highest-quality, independently-rated inventory. Building it was no small feat, and we were only able to do it because we understand that publishers’ primary goal with advertising is to optimize monetization. That means maximizing revenue and control, and our solution helps you do both. The first step in any high-performance marketplace is creating demand. Our real time auctions give you maximum exposure to demand sources. All of the largest DSPs, networks and agency trading desks, plus the top advertisers, already purchase inventory on OpenX’s Ad Exchange. We connect you to a broad and deep selection of buyers, and you choose which ones can bid and which impressions they can win. Once you have interested buyers, you want to be able to showcase your inventory and command the best price. Our Ad Exchange supports a variety of formats and screens, letting you easily make all of your inventory available on one platform. We also make it easy for you to extract the full value out of each impression. You can set price floors and employ whitelist and blacklist features to avoid channel conflict and potential dilution of relationships with advertisers who buy direct. Furthermore, you can utilize our technology to manage your premium inventory through direct relationships with advertisers by leveraging preferred deals and private auctions.

According to Pixelate, OpenX Marketplace has the highest quality ad inventory in 2015, beating Google’s ad marketplace (Google Adx). OpenX integrations are widely distributed / long tail and currently sees the second most impressions on the internet, after Google. It’s new traffic quality platform for viewability and fraud detection technology has ability to leverage this position by seeing impressions earlier than existing ad verification / pre-bid solutions used by DSP and agency trading desks. (a) OpenX was ranked the 3rd fastest growing software company in North America with 44,075% growth in revenues from 2008 – 2012 by Deloitte’s Technology Fast 500. (b) According to a report from LeadLedger.com, OpenX has the second largest publisher adserver install base behind Google in 2013. (c) OpenX’s current products include the OpenX Exchange, Ad Server, and SSP (supply side platform) with Demand Fusion. (d) 96% of top 100 brand advertisers and 58% of comScore 100 publishers work with OpenX, conducting 250 billion monthly transactions with 12 billion daily bids from buyers. All major demand side platforms (DSP) including Rocketfuel, Criteo, Turn, MediaMath, Invite Media and Appnexus buy from OpenX ad exchange.

 

 

 

(2) Vulnerability Details:

OpenX web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (Open Redirect or URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. OpenX has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

Source code of adclick.php:

$destination = MAX_querystringGetDestinationUrl($adId[0]);

MAX_redirect($destination);

 

The “MAX_redirect” function is bellow,

function MAX_redirect($url)

{

if (!preg_match(‘/^(?:javascript|data):/i’, $url)) {

header(‘Location: ‘.$url);

MAX_sendStatusCode(302);

}

 

The header() function sends a raw HTTP header to a client without any checking of the “$dest” parameter at all.

 

 

 

(1) For “adclick.php”, the code programming flaw occurs with “&dest” parameter.

 

 

(2) For “ck.php”, it uses “adclick.php” file. the code programming flaw occurs with “_maxdest” parameter.

 

 

 

 

 

(3) Solutions:

2014-10-12 Public disclosure with self-written patch.

 

 

 

 

References:

https://webtechwire.wordpress.com/2014/12/09/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

http://tetraph.com/security/cves/cve-2014-2230-openx-open-redirect-vulnerability-2/

http://tetraph.blogspot.com/2014/10/cve-2014-2230-openx-dest-redirect.html

http://tetraph.blog.163.com/blog/static/23460305120141011328886/

http://www.inzeed.com/kaleidoscope/open-redirect/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

http://diebiyi.com/articles/security/cves/cve-2014-2230-openx-open-redirect-vulnerability-2/

https://hackertopic.wordpress.com/2014/12/12/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

https://www.facebook.com/essaybeans/posts/479120835562721

http://ithut.tumblr.com/post/104660020768/whitehatview-cve-2014-2230-openx-dest-redirect