Saturday 7 November 2015

Daily Mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem

Daily Mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem


Website Description:
"The Daily Mail is a British daily middle-market tabloid newspaper owned by the Daily Mail and General Trust. First published in 1896 by Lord Northcliffe, it is the United Kingdom's second biggest-selling daily newspaper after The Sun. Its sister paper The Mail on Sunday was launched in 1982. Scottish and Irish editions of the daily paper were launched in 1947 and 2006 respectively. The Daily Mail was Britain's first daily newspaper aimed at the newly-literate "lower-middle class market resulting from mass education, combining a low retail price with plenty of competitions, prizes and promotional gimmicks", and was the first British paper to sell a million copies a day. It was at the outset a newspaper for women, the first to provide features especially for them, and as of the second-half of 2013 had a 54.77% female readership, the only British newspaper whose female readers constitute more than 50% of its demographic. It had an average daily circulation of 1,708,006 copies in March 2014. Between July and December 2013 it had an average daily readership of approximately 3.951 million, of whom approximately 2.503 million were in the ABC1 demographic and 1.448 million in the C2DE demographic. Its website has more than 100 million unique visitors per month." (Wikipedia)


One of its website's Alexa rank is 93 on January 01 2015. The website is one of the most popular websites in the United Kingdom.


The Unvalidated Redirects and Forwards problem has not been patched, while the XSS problem has been patched.






(1) Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem


(1.1) Vulnerability Description:
Daily online websites have a cyber security problem. Hacker can exploit it by Open Redirect (Unvalidated Redirects and Forwards) attacks. During the tests, all Daily mail websites (Daily Mail, Mail on Sunday & Metro media group) use the same mechanism. These websites include dailymail.co.uk, thisismoney.co.uk, and mailonsunday.co.uk.











































Google Dork:
"Part of the Daily Mail, The Mail on Sunday & Metro Media Group"


The vulnerability occurs at "&targetUrl" parameter in "logout.html?" page, i.e.
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fgoogle.com





(1.2.1) Use the following tests to illustrate the scenario painted above.

The redirected webpage address is "http://diebiyi.com/articles". Can suppose that this webpage is malicious.

Vulnerable URLs:


POC Code:




POC Video:



Blog Details:



(1.2.2) The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

These bugs were found by using URFDS (Unvalidated Redirects and Forwards Detection System).





(1.2) Description of Open Redirect:
Here is the description of Open Redirect: "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance." (From CWE)




(1.3) Vulnerability Disclosure:
These vulnerabilities have not been patched.






(2) Daily Mail Website XSS Cyber Security Zero-Day Vulnerability


(2.1) Vulnerability description:
DailyMail has a security problem. Criminals can exploit it by XSS attacks.

The vulnerability occurs at "reportAbuseInComment.html?" page with "&commentId" parameter, i.e.
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038



POC Code:
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId="><img src=x onerror=prompt('justqdjing')>



The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.






















(2.2) What is XSS?
"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner." (Wikipedia)




(2.3) Vulnerability Disclosure:
This vulnerability has been patched.




Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)







Posted by at No comments:
Labels: , , , ,

Tuesday 3 November 2015

TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber Attacks

TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber Attacks


Website Description:
http://www.telegraph.co.uk


"The Daily Telegraph is a British daily morning English-language broadsheet newspaper, published in London by Telegraph Media Group and distributed throughout the United Kingdom and internationally. The newspaper was founded by Arthur B. Sleigh in June 1855 as The Daily Telegraph and Courier, and since 2004 has been owned by David and Frederick Barclay. It had a daily circulation of 523,048 in March 2014, down from 552,065 in early 2013. In comparison, The Times had an average daily circulation of 400,060, down to 394,448. The Daily Telegraph has a sister paper, The Sunday Telegraph, that was started in 1961, which had circulation of 418,670 as of March 2014. The two printed papers currently are run separately with different editorial staff, but there is cross-usage of stories. News articles published in either, plus online Telegraph articles, may also be published on the Telegraph Media Group's www.telegraph.co.uk website, all under The Telegraph title." (From Wikipedia)




(1) Vulnerability Description:
Telegraph has a Web security bug problem. It is vulnerable to XSS attacks. In fact, all its photo pages are vulnerable to XSS (Cross-Site Scripting) vulnerabilities. Telegraph's picture pages use "&frame" as its parameter. All its web pages use "&frame" are vulnerable to the bugs. Those vulnerabilities have been patched now.


Examples of Vulnerable Links:



POC Code:


The vulnerability can be attacked without user login. Tests were performed on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The bugs found by using CSXDS.


































































 







(2) XSS Description:
The description of XSS is: "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." (OWSAP)




Poc Video:





Blog Details:





(3) Vulnerability Disclosure:
Those vulnerabilities are patched now.





Discoved and Disclosured By:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)










Posted by at No comments:
Labels: , , , , , , ,

Friday 25 September 2015

VuFind 1.0 Web Application Reflected XSS (Cross-site Scripting) 0-Day Security Bug

VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug



Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web Security Vulnerability
Product: VuFind
Vendor: VuFind
Vulnerable Versions: 1.0
Tested Version: 1.0
Advisory Publication: September 20, 2015
Latest Update: September 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 




Caution Details:


(1) Vendor & Product Description:


Vendor:
VuFind



Product & Vulnerable Versions:
VuFind
1.0



Vendor URL & Download:
Product can be obtained from here,




Product Introduction Overview:
"VuFind is a library resource portal designed and developed for libraries by libraries. The goal of VuFind is to enable your users to search and browse through all of your library's resources by replacing the traditional OPAC to include: Catalog Records, Locally Cached Journals, Digital Library Items, Institutional Repository, Institutional Bibliography, Other Library Collections and Resources. VuFind is completely modular so you can implement just the basic system, or all of the components. And since it's open source, you can modify the modules to best fit your need or you can add new modules to extend your resource offerings. VuFind runs on Solr Energy. Apache Solr, an open source search engine, offers amazing performance and scalability to allow for VuFind to respond to search queries in milliseconds time. It has the ability to be distributed if you need to spread the load of the catalog over many servers or in a server farm environment. VuFind is offered for free through the GPL open source license. This means that you can use the software for free. You can modify the software and share your successes with the community! Take a look at our VuFind Installations Wiki page to see how a variety of organizations have taken advantage of VuFind's flexibility. If you are already using VuFind, feel free to edit the page and share your accomplishments. "






(2) Vulnerability Details:
VuFind web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. VuFind has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training".


(2.1) The code flaw occurs at "lookfor?" parameter in "/vufind/Resource/Results?" page.

Some other researcher has reported a similar vulnerability here and VuFind has patched it.







(3) Solution:
Update to new version.









References:


Posted by at No comments:
Labels: , , , ,

Sunday 30 August 2015

Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug




Exploit Title: Winmail Server badlogin.php &lid parameter Reflected XSS Web Security Vulnerability

Product: Winmail Server

Vendor: Winmail Server

Vulnerable Versions: 4.2   4.1

Tested Version: 4.2   4.1

Advisory Publication: August 24, 2015

Latest Update: August 30, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)











 






 

























Caution Details:



(1) Vendor & Product Description:



Vendor:

Winmail Server




Product & Vulnerable Versions:

Winmail Server

4.2   4.1




Vendor URL & Download:

Product can be obtained from here,






Product Introduction Overview:

"Winmail Server is an enterprise class mail server software system offering a robust feature set, including extensive security measures. Winmail Server supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam protection, anti-virus protection, SSL security, Network Storage, remote access, Web-based administration, and a wide array of standard email options such as filtering, signatures, real-time monitoring, archiving, and public email folders. Winmail Server can be configured as a mail server or gateway for ISDN, ADSL, FTTB and cable modem networks, beyond standard LAN and Internet mail server configurations."









(2) Vulnerability Details:

Winmail Server web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Winmail Server has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training". Scip has recorded similar XSS bugs, such as scipID 26980.




(2.1) The code flaw occurs at "&lid" parameter in "badlogin.php" page. In fact, CVE-2005-3692 mentions that "&retid" parameter in "badlogin.php" page is vulnerable to XSS attacks. But it does not mention "&lid" parameter". The scipID of the bug is 26980. Bugtraq (SecurityFocus) ID is 15493. OSVDB ID is 20926.




References: 
http://seclists.org/oss-sec/2015/q3/459 
http://www.tetraph.com/security/xss-vulnerability/winmail-server-4-2-reflected-xss/ 
http://computerobsess.blogspot.com/2015/08/winmail-xss.html
http://marc.info/?l=oss-security&m=144094251309925&w=4
http://permalink.gmane.org/gmane.comp.security.oss.general/17656
https://webtechwire.wordpress.com/2015/08/31/winmail-xss/
http://tetraph.blog.163.com/blog/static/234603051201573115638385/
http://webtechhut.blogspot.com/2015/08/winmail-xss-0day.html
http://ittechnology.lofter.com/post/1cfbf60d_806df2e
http://www.inzeed.com/kaleidoscope/xss-vulnerability/fc2-blog-xss/
http://webcabinet.tumblr.com/post/128010125747/winmail-xss-bug 
http://www.openwall.com/lists/oss-security/2015/08/30/3
https://progressive-comp.com/?l=oss-security&m=144094251309925&w=1
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)