CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability

 

Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Vulnerability

Product: LibCal

Vendor: Springshare

Vulnerable Versions: 2.0

Tested Version: 2.0

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7291

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Solution Status: Fixed by Vendor

Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

 

 

 

 

 

Advisory Details

(1) Product:

“Springshare LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide.”

 

 

(2) Vulnerability Details:

Springshare LibCal has a security problem. It is vulnerable to XSS attacks.

The XSS vulnerabilities occur at “/api_events.php?” page, with “&m” and “&cid” parameters.

 

 

(3) Solutions:

2014-10-01: Report vulnerability to Vendor

2014-10-15: Vendor replied with thanks and vendor changed the source code

 

 

 

 

 

References:

CNN cnn.com ADS Open Redirect Security Vulnerability

CNN cnn.com ADS Open Redirect Security Vulnerability 



Domain:
Based on news published, CNN users were hacked by both Open Redirect vulnerability in 2007.
According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.
“The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.” (E hacker News)

After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN’s website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

 

 

 
 
 
 
Vulnerability Description:
CNN has a security problem. It is vulnerable to Open Redirect attacks.
The vulnerability occurs at “http://ads.cnn.com/event.ng” page with “&Redirect” parameter, i.e.
The vulnerability can be attacked without user login. Tests were performed on Chrome 32 in Windows 8 and Safari 6.16 in Mac OS X v10.7.

 

(1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/blog“. Suppose that this webpage is malicious.
Vulnerable URL:
POC:

(2) Poc Video:

Those vulnerabilities were reported to CNN in early July by Contact from Here.
http://edition.cnn.com/feedback/#cnn_FBKCNN_com

 

Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (cross site scripting) Attacks

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (cross site scripting) Attacks 



Domain Description:
“According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership.” (en.Wikipedia.org)

Vulnerability description:
The vulnerability occurs at Indiatimes’s URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes’s “photogallery” and “top-llists” topics are affected.
Indiatimes uses part of the links under “photogallery” and “top-llists” topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.
The vulnerability can be attacked without user login. Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7.





POC Codes:
http://www.indiatimes.com/photogallery/“><img src=x onerror=prompt(‘justqdjing’)>
http://www.indiatimes.com/top-lists/“><img src=x onerror=prompt(‘justqdjing’)>
http://www.indiatimes.com/photogallery/lifestyle/“><img src=x onerror=prompt(‘justqdjing’)>
http://www.indiatimes.com/top-lists/technology/“><img src=x onerror=prompt(‘justqdjing’)>




POC Video:
The vulnerabilities were reported to Indiatimes in early September, 2014. However they are still unpatched.
Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

Related Articles:
http://www.techworm.net/2014/12/times-india-website-vulnerable-cross-site-scripting-xss-attacks.html
http://seclists.org/fulldisclosure/2014/Nov/91
http://www.tetraph.com/blog/web-security/times-of-india-website-vulnerable-to-cross-site-scripting-xss-attacks/
https://cxsecurity.com/issue/WLB-2014120004
http://vulnerabilitypost.wordpress.com/2014/12/04/all-links-in-two-topics-of-indiatimes-indiatimes-com-are-vulnerable-to-xss-cross-site-scripting-attacks/
http://whitehatpost.blog.163.com/blog/static/2422320542014114750445/#
http://user.qzone.qq.com/2519094351/blog/1417685447

CVE-2014-8489 Ping Identity Corporation “PingFederate 6.10.1 SP Endpoints” Dest Redirect Privilege Escalation Security Vulnerability

CVE-2014-8489 Ping Identity Corporation “PingFederate 6.10.1 SP Endpoints” Dest Redirect Privilege Escalation Security Vulnerability

 

Exploit Title: “Ping Identity Corporation” “PingFederate 6.10.1 SP Endpoints” Dest Redirect Privilege Escalation Security Vulnerability
Product: PingFederate 6.10.1 SP Endpoints
Vendor: Ping Identity Corporation
Vulnerable Versions: 6.10.1
Tested Version: 6.10.1
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: URL Redirection to Untrusted Site [CWE-601]
CVE Reference: CVE-2014-8489
CVSS v2 Base Score: 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 10.0
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

 

Advisory Details

 

(1) Product:
“PingFederate is a best-of-breed Internet-identity security platform that implements multiple standards-based protocols to provide cross-domain single sign-on (SSO) and user-attribute exchange, as well as support for identity-enabled Web Services and cross-domain user provisioning.”

 

(2) Vulnerability Details:
PingFederate 6.10.1 SP Endpoints is vulnerable to Dest Redirect Privilege Escalation attacks.
The security vulnerability occurs at “/startSSO.ping?” page with “&TargetResource” parameter.

 

References: