MailChimp’s Login, Olark, Kaneva Sign-in Page Open Redirect 0Day Attack Bugs

stock-footage-blue-binary-tunnel-that-suggests-computer-data-flow-communication-concept

 

MailChimp, Olark, Kaneva online websites have computer cyber security bug problems. They can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)

 


(1) MailChimp’s Login Page Open Redirect Vulnerability





Poc Video:
The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]




When a user clicks the URL ([1]) before login, the MailChimp “login page” appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage different from MailChimp.





(1.1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/essayjeans/poems/thatday.html”. We can suppose that this webpage is malicious.













(2) Olark Open Redirect Vulnerability











(2.1)Use one of webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.
















(3) Kaneva Sign-in Page Open Redirect Vulnerability


The vulnerability exists at “loginSecure.aspx” page with “logretURLNH” parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]




When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.




Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.




(3.1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.











The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks. These bugs were found by using URFDS.

 

 

 


Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)





Source:
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s