CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

6kbbs_4

 

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

 

Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]

CVE Reference: *

CXSecurity Reference: WLB-2015040034

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

Suggestion Details:



(1) Vendor & Product Description:



Vendor:

6kbbs

 

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

 

Vendor URL & download:

6kbbs can be gain from here,

http://www.6kbbs.com/download.html

http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/

 

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user’s preferred utility functions.”

“1, using XHTML + CSS architecture, so that the structure of the page, saving transmission static page code, but also easy to modify the interface, more in line with WEB standards; 2, the Forum adopted Cookies, Session, Application and other technical data cache on the forum, reducing access to the database to improve the performance of the Forum. Can carry more users simultaneously access; 3, the data points table function, reduce the burden on the amount of data when accessing the database; 4, support for multi-skin style switching function; 5, the use of RSS technology to support subscriptions forum posts, recent posts, user’s posts; 6, the display frame mode + tablet mode, the user can choose according to their own preferences to; 7. forum page optimization keyword search, so the forum more easily indexed by search engines; 8, extension, for our friends to provide a forum for a broad expansion of space services; 9, webmasters can add different top and bottom of the ad, depending on the layout; 10, post using HTML + UBB way the two editors, mutual conversion, compatible with each other; …”

 

 

 

(2) Vulnerability Details:

6kbbs web application has a computer cyber security bug problem. It can be exploited by CSRF (Cross-Site Request Forgery) attacks. This may allow an attacker to trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a separate CSRF attack or possibly other means, and executed in the context of their session with the application, without further prompting or verification.

Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to csrf vulnerabilities.

 

(2.1) The first code programming flaw occurs at “/portalchannel_ajax.php?” page with “&id” and &code” parameters in HTTP $POST.

(2.2) The second code programming flaw occurs at “/admin.php?” page with “&fileids” parameter in HTTP $POST.

 

 

 

 

Related Articles:
http://cxsecurity.com/issue/WLB-2015040034
http://lists.openwall.net/full-disclosure/2015/04/05/7
http://www.intelligentexploit.com/view-details.html?id=21071
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
https://www.mail-archive.com/fulldisclosure@seclists.org/msg01902.html
http://seclists.org/fulldisclosure/2015/Apr/13
http://www.tetraph.com/security/csrf-vulnerability/6kbbs-v8-0-csrf
http://essayjeans.blog.163.com/blog/static/237173074201551435316925/
https://itinfotechnology.wordpress.com/2015/04/14/6kbbs-crsf/

http://frenchairing.blogspot.fr/2015/06/6kbbs-crsf.html
http://tetraph.blog.163.com/blog/static/234603051201551444917365/
http://diebiyi.com/articles/security/6kbbs-v8-0-csrf
http://securityrelated.blogspot.com/2015/04/6kbbs-v80-multiple-csrf-cross-site.html
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-multiple-csrf
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-csrf

 

 

 

Advertisements

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

Computer coding

CVE-2015-2563 – Vastal I-tech phpVID 1.2.3 SQL Injection Web Security Vulnerabilities

Exploit Title: CVE-2015-2563 Vastal I-tech phpVID /groups.php Multiple Parameters SQL Injection Web Security Vulnerabilities

Product: phpVID

Vendor: Vastal I-tech

Vulnerable Versions: 1.2.3 0.9.9

Tested Version: 1.2.3 0.9.9

Advisory Publication: March 13, 2015

Latest Update: April 25, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2563

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Credit: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Direction Details:



(1) Vendor & Product Description:



Vendor:

Vastal I-tech

Product & Vulnerable Versions:

phpVID

1.2.3

0.9.9

Vendor URL & Download:

phpVID can be approached from here,

http://www.vastal.com/phpvid-the-video-sharing-software.html#.VP7aQ4V5MxA


Product Introduction Overview:

“phpVID is a video sharing software or a video shating script and has all the features that are needed to run a successful video sharing website like youtube.com. The features include the following. phpVID is the best youtube clone available. The latest features include the parsing of the subtitles file and sharing videos via facebook. With phpVID Video Sharing is extremely easy.”


“The quality of code and the latest web 2.0 technologies have helped our customers to achieve their goals with ease. Almost all customers who have purchased phpVID are running a successful video sharing website. The quality of code has helped in generating more then 3 million video views a month using a “single dedicated server”. phpVID is the only software in market which was built in house and not just purchased from someone. We wrote the code we know the code and we support the code faster then anyone else. Have any questions/concerns please contact us at: info@vastal.com. See demo at: http://www.phpvid.com. If you would like to see admin panel demo please email us at: info@vastal.com.”


“Server Requirements:

Preferred Server: Linux any Version

PHP 4.1.0 or above

MySQL 3.1.10 or above

GD Library 2.0.1 or above

Mod Rewrite and .htaccess enabled on server.

FFMPEG (If you wish to convert the videos to Adobe Flash)”

(2) Vulnerability Details:

phpVID web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other bug hunter researchers have found some SQL Injection vulnerabilities related to it before, too. phpVID has patched some of them.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpVID has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to important vulnerabilities.



(2.1) The first code programming flaw occurs at “&order_by” “&cat” parameters in “groups.php?” page.


Related Links:

http://packetstormsecurity.com/files/130754/Vastal-I-tech-phpVID-1.2.3-SQL-Injection.html

https://progressive-comp.com/?l=full-disclosure&m=142601071700617&w=2

http://seclists.org/fulldisclosure/2015/Mar/58

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1699

http://lists.openwall.net/full-disclosure/2015/03/10/8

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142601071700617&w=2

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2563/

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551597501701&w=2

https://cxsecurity.com/issue/WLB-2015020091

https://www.facebook.com/permalink.php?story_fbid=935563809832135&id=874373602617823

http://t.qq.com/p/t/482410003538035

http://biboying.lofter.com/post/1cc9f4f5_6ee2aa5

http://mathpost.tumblr.com/post/118768553885/xingti-cve-2015-2563-vastal-i-tech-phpvid

http://essayjeans.lofter.com/post/1cc7459a_6ee4fcb

http://xingti.tumblr.com/post/118768481545/cve-2015-2563-vastal-i-tech-phpvid-1-2-3-sql

https://plus.google.com/113698571167401884560/posts/gftS84rfD3A

https://itswift.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/

https://www.facebook.com/essayjeans/posts/827458144012006

https://tetraph.wordpress.com/2015/05/12/cve-2015-2563-vastal-i-tech-phpvid/

http://mathstopic.blogspot.com/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html

http://yurusi.blogspot.sg/2015/05/cve-2015-2563-vastal-i-tech-phpvid-123.html

https://twitter.com/tetraphibious/status/598057025247907840

http://tetraph.blog.163.com/blog/static/23460305120154125453111/


CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

fki_21

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities



Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.*   4.*.0.*

Tested Version: 5.*.0.*   4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Information Details:



(1) Vendor & Product Description:



Vendor:

SuperWebMailer




Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875



Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/




Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”


“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”


“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”






(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. 



Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.


(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.








Related Results:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html





CVE-2015-2209 – DLGuard Full Path Disclosure (Information Leakage) Web Security Vulnerabilities

hacker1

CVE-2015-2209 – DLGuard Full Path Disclosure (Information Leakage) Web Security Vulnerabilities



Exploit Title: DLGuard “/index.php?” “&c” parameter Full Path Disclosure Web Security Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v4.5

Tested Version: v4.5

Advisory Publication: January 18, 2015

Latest Update: March 20, 2015

Vulnerability Type: Information Exposure [CWE-200]

CVE Reference: CVE-2015-2209

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information

Credit: Wang Jing [School of Mathematical Sciences (001), University of Science and Technology of China (USTC)] (@justqdjing)

 
 
 
 

Consultation Details:

 

(1) Vendor & Product Description:

 

Vendor:

DLGuard

 

Product & Version:

DLGuard

v4.5

 

Vendor URL & Download:

DLGuard can be obtained from here,

http://www.dlguard.com/dlginfo/index.php

 

Product Introduction Overview:

“DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don’t have the time for.”

 

“DLGuard supports the three types, or methods, of sale on the internet:

Single item sales (including bonus products!)

Multiple item sales

Membership websites”

 

“DLGuard is fully integrated with: PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, Click2Sell, Mal’s E-Commerce, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro, and even tracks your free product downloads. The DLGuard built-in Shopping Cart offers Paypal, Authorize.net, and 2Checkout payment options. The Membership areas allow Paypal, Clickbank, 2Checkout, and LinkPoint recurring billing as well as linking to any PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, E-Bullion, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro single sale and free products so that people who buy your products can access your members area. DLGuard is the perfect solution to secure your single sale item, such as a niche marketing website, software sales, ebook sales, and more! DLGuard not only protects your download page, but it makes setting up new products, or making changes to existing products so much quicker and easier than before.”

 

(2) Vulnerability Details:

DLGuard web application has a computer security bug problem. It can be exploited by information leakage attacks – Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. DLguard has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to important vulnerabilities.


(2.1) The first bug flaw occurs at “&c” parameter in “index.php?” page.

 

 

References:

 

 

The Weather Channel weather.com Almost All Links Vulnerable to XSS Attacks

 
 

GTY_email_hacker_dm_130718_16x9_608

 

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 

 

Domain Description:
http://www.weather.com/

 

“The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather.  Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather.”

 

“As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives.” (Wikipedia)

 

 

 

 

Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.

 

Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel’s URLs. Then the scripts will be executed.

 

10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.

 

The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes. 

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

 

weather_1_xss

 
 

weather_2_xx

 

 

POC Codes, e.g.

http://www.weather.com/slideshows/main/“–/>”><img src=x onerror=prompt(‘justqdjing’)>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22–/“–/>”><img src=x onerror=prompt(‘justqdjing’)>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/“><img src=x onerror=prompt(‘justqdjing’)>

 

 

The Weather Channel has patched this Vulnerability in late November, 2014 (last Week).  “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.

 

 

 

Discovered by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Nov/89
http://lists.openwall.net/full-disclosure/2014/11/27/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1253
https://progressive-comp.com/?l=full-disclosure&m=141705578527909&w=1
http://whitehatview.tumblr.com/post/104313615841/the-weather-channel-flaw
http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-exploit
http://diebiyi.com/articles/security/the-weather-channel-bug
http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8
https://vulnerabilitypost.wordpress.com/2014/12/04/the-weather-channel-flaw
http://tetraph.blog.163.com/blog/static/234603051201411475314523/
http://tetraph.blogspot.com/2014/12/the-weather-channel-xss.html
http://ithut.tumblr.com/post/121916595448/weather-channel-xss
https://mathfas.wordpress.com/2014/12/04/the-weather-channel-weather-bug
http://computerobsess.blogspot.com/2014/12/the-weather-channel-xss.html
http://www.tetraph.com/blog/xss-vulnerability/the-weather-channel-bug

 

 

 

 

Alle Links zu New York Times Artikel Vor 2013 anfällig für XSS-Angriffe

Alle Links zu New York Times Artikel Vor 2013 anfällig für XSS-Angriffe

 

URLs, um Artikel in der New York Times (NYT) vor 2013 veröffentlicht wurden gefunden anfällig für einen XSS (Cross-Site Scripting) Angriff der Lage ist, Code im Kontext des Web-Browsers ausgeführt werden zu können.

 

c5e0b49392f4e9f877a6fe8f9b8eccc5


Basierend auf nytimes die Gestaltung, fast alle URLs vor 2013 sind betroffen (Alle Seiten von Artikeln). In der Tat, alle Artikel Seiten, die Schaltfläche “Drucken”, “Jede Seite” Taste enthalten, werden “Seite *” Taste “NEXT PAGE” -Taste beeinflusst.

 

Nytimes geändert diesen Mechanismus seit 2013. Es decodiert die URLs, seine Server gesendet. Dadurch ist der Mechanismus nun viel sicherer.

 

Jedoch werden alle URLs vor 2013 immer noch mit dem alten Mechanismus. Das bedeutet fast allen Artikelseiten vor 2013 sind immer noch anfällig für XSS-Angriffe. Ich denke, der Grund, nytimes keine URLs filtern, bevor die Kosten. Es kostet zu viel (Geld und Humankapital), um in der Datenbank nach Artikel gepostet, bevor ändern.

 

Die Sicherheitslücke wurde von einem Mathematik Doktorand Wang Jing von der Schule für Physikalische und Mathematische Wissenschaften (SPMS), Nanyang Technological University, Singapur.

 

POC und Blog Erklärung von Wang gegeben,
https://www.youtube.com/watch?v=RekCK5tjXWQ
http://tetraph.com/security/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/

 

Unterdessen sagte Wang: “Die New York Times hat einen neuen Mechanismus jetzt angenommen. Dies ist eine bessere Schutzmechanismus.”

 

 

Auch wenn die Artikel sind alt, sind die Seiten noch relevant
Ein Angriff auf neueren Artikel würde auf jeden Fall haben erhebliche Auswirkungen gehabt, aber Artikeln von 2012 oder sogar noch älter sind alles andere als überholt. Es wäre immer noch im Rahmen eines Angriffs von Bedeutung sein.

 

Cyberkriminelle können verschiedene Möglichkeiten, um den Link, um potenzielle Opfer zu senden und aufzuzeichnen hohen Erfolgsraten, alle mit mehr gezielte Angriffe zu entwickeln.

 

 

Was ist XSS?
Cross-Site Scripting (XSS) ist eine Art von Computer-Sicherheitslücke in der Regel in Web-Anwendungen gefunden. XSS ermöglicht es Angreifern, clientseitige Skript in Webseiten, die von anderen Benutzern eingesehen zu injizieren. Eine Cross-Site-Scripting-Schwachstelle kann von Angreifern wie der Same Origin Policy verwendet werden, um Zugangskontrollen zu umgehen. Cross-Site Scripting auf Webseiten durchgeführt entfielen rund 84% aller Sicherheitslücken von Symantec ab 2007 dokumentiert (Wikipedia)

 

 

 

 

Serious security flaw in OAuth, OpenID discovered

Following in the steps of the OpenSSL vulnerability Heartbleed, A serious Covert Redirect vulnerability related to OAuth 2.0 and OpenID has been found. Almost all major providers of OAuth 2.0 and OpenID are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.

 

Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability “Covert Redirect” flaw can masquerade as a log-in popup based on an affected site’s domain. Covert Redirect is based on a well-known exploit parameter.

 

For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.

 

If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.

 

Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker’s choice, which could potentially further compromise the victim.

 

Wang says he has already contacted Facebook and has reported the flaw, but was told that the company “understood the risks associated with OAuth 2.0,” and that “short of forcing every single application on the platform to use a whitelist,” fixing this bug was “something that can’t be accomplished in the short term.”

 

Facebook isn’t the only site affected. Wang says he has reported this to Google, LinkedIn, and Microsoft, which gave him various responses on how they would handle the matter.

 

covert_redirect_logo_tetraph


Google (which uses OpenID) told him that the problem was being tracked, while LinkedIn said that the company has published a blog on the matter. Microsoft, on the other hand, said an investigation had been done and that the vulnerability existed on the domain of a third party and not on its own sites.

“Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,” said Wang.

 

“However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable,” he added.

 

LinkedIn engineer Shikha Sehgal wrote a blog post about the creation of a whitelist for the site more than a month before Wang published his findings.

 

“In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application’s redirect URLs with us by April 11, 2014,” she said.

 

Sehgal did not explicitly say that the measure was in response to a flaw in OAuth 2, but the social network did confirm to CNET that the vulnerability that Wang detailed is the same one that inspired the blog post.

 

PayPal also has addressed the flaw.

“When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability,” James Barrese, PayPal’s CTO, said in a blog post on Friday. PayPal declined to add details about those measures.

(Article Mainly from Cnet.com)

 

 

 

Related Articles: