Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem

Posted by WhiteHole

Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem

Website Description:
“The Daily Mail is a British daily middle-market tabloid newspaper owned by the Daily Mail and General Trust. First published in 1896 by Lord Northcliffe, it is the United Kingdom’s second biggest-selling daily newspaper after The Sun. Its sister paper The Mail on Sunday was launched in 1982. Scottish and Irish editions of the daily paper were launched in 1947 and 2006 respectively. The Daily Mail was Britain’s first daily newspaper aimed at the newly-literate “lower-middle class market resulting from mass education, combining a low retail price with plenty of competitions, prizes and promotional gimmicks”, and was the first British paper to sell a million copies a day. It was at the outset a newspaper for women, the first to provide features especially for them, and as of the second-half of 2013 had a 54.77% female readership, the only British newspaper whose female readers constitute more than 50% of its demographic. It had an average daily circulation of 1,708,006 copies in March 2014. Between July and December 2013 it had an average daily readership of approximately 3.951 million, of whom approximately 2.503 million were in the ABC1 demographic and 1.448 million in the C2DE demographic. Its website has more than 100 million unique visitors per month.” (Wikipedia)

One of its website’s Alexa rank is 93 on January 01 2015. The website is one of the most popular websites in the United Kingdom.

(1) Vulnerability Description:
Daily online websites have a cyber security problem. Hacker can exploit it by Open Redirect (Unvalidated Redirects and Forwards) attacks. During the tests, all Daily mail websites (Daily Mail, Mail on Sunday & Metro media group) use the same mechanism. These websites include dailymail.co.uk, thisismoney.co.uk, and mailonsunday.co.uk.

Google Dork:
“Part of the Daily Mail, The Mail on Sunday & Metro Media Group”

The vulnerability occurs at “&targetUrl” parameter in “logout.html?” page, i.e.
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fgoogle.com

(2.1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://diebiyi.com/articles“. Can suppose that this webpage is malicious.

Vulnerable URLs:
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdailymail.co.uk
http://www.thisismoney.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fhao123.com/
http://www.mailonsunday.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fpinterest.com

POC Code:
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles
http://www.thisismoney.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles
http://www.mailonsunday.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles

POC Video:
https://www.youtube.com/watch?v=AU-HJGe5BWE&feature=youtu.be

Blog Detail:
http://tetraph.com/security/website-test/daily-mail-url-redirection/
http://securityrelated.blogspot.com/2015/10/daily-mail-registration-page.html
https://vulnerabilitypost.wordpress.com/2015/10/30/daily-mail-open-redirect/

(2.2) The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

These bugs were found by using URFDS (Unvalidated Redirects and Forwards Detection System).

(2) Description of Open Redirect:
Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)

(3) Vulnerability Disclosure:
These vulnerabilities have not been patched.

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

Reference:
https://cxsecurity.com/issue/WLB-2015110028
http://computerobsess.blogspot.com/2015/11/daily-mail-open-redirect.html
http://itinfotech.tumblr.com/post/132726134291/ithut-daily-mail-registration-page-unvalidated
http://itsecurity.lofter.com/post/1cfbf9e7_8d45d37
https://inzeed.wordpress.com/2015/11/07/daily-mail-registration-page
http://webtechhut.blogspot.com/2015/11/daily-mail-registration-page.html
https://community.webroot.com/t5/Security-Industry-News/The-Telegraph-and-Daily-Mail
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2643|
http://lists.openwall.net/full-disclosure/2015/11/03/8

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

Posted by WhiteHole

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]

CVE Reference: *

CXSecurity Reference: WLB-2015040034

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

6kbbs

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

Vendor URL & download:

6kbbs can be gain from here,

http://www.6kbbs.com/download.html

http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/

Product Introduction Overview:

“1, using XHTML + CSS architecture, so that the structure of the page, saving transmission static page code, but also easy to modify the interface, more in line with WEB standards; 2, the Forum adopted Cookies, Session, Application and other technical data cache on the forum, reducing access to the database to improve the performance of the Forum. Can carry more users simultaneously access; 3, the data points table function, reduce the burden on the amount of data when accessing the database; 4, support for multi-skin style switching function; 5, the use of RSS technology to support subscriptions forum posts, recent posts, user’s posts; 6, the display frame mode + tablet mode, the user can choose according to their own preferences to; 7. forum page optimization keyword search, so the forum more easily indexed by search engines; 8, extension, for our friends to provide a forum for a broad expansion of space services; 9, webmasters can add different top and bottom of the ad, depending on the layout; 10, post using HTML + UBB way the two editors, mutual conversion, compatible with each other; …”

(2) Vulnerability Details:

6kbbs web application has a computer cyber security bug problem. It can be exploited by CSRF (Cross-Site Request Forgery) attacks. This may allow an attacker to trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a separate CSRF attack or possibly other means, and executed in the context of their session with the application, without further prompting or verification.

Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to csrf vulnerabilities.

(2.1) The first code programming flaw occurs at “/portalchannel_ajax.php?” page with “&id” and &code” parameters in HTTP $POST.

(2.2) The second code programming flaw occurs at “/admin.php?” page with “&fileids” parameter in HTTP $POST.

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

Posted by WhiteHole

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Improper Input Validation [CWE-20]

CVE Reference: *

OSVDB Reference: 120807

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Advisory Details:

(1) Vendor & Product Description:

Vendor:

NetCat

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Vendor URL & Download:

NetCat can be downloaded from here,

http://netcat.ru/

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.

(2.1) The programming code flaw occurs at “/catalog/search.php?” page with “&q” parameter.

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

Posted by WhiteHole

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: March 07, 2015

Latest Update: March 07, 2015

Vulnerability Type: Improper Neutralization of CRLF Sequences (‘CRLF Injection’) [CWE-93]

CVE Reference: *

OSVDB Reference: 119342, 119343

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Advisory Details:

(1) Vendor & Product Description:

Vendor:

NetCat

Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Vendor URL & Download:

NetCat can be got from here,

http://netcat.ru/

Product Introduction:

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at “/post.php” page with “redirect_url” parameter by adding “%0d%0a%20”.

(2.2) The second code flaw occurs at “redirect.php?” page with “url” parameter by adding “%0d%0a%20”.

Reference:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

Posted by WhiteHole

Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: June 08, 2015

Latest Update: June 10, 2015

Vulnerability Type: Inadequate Encryption Strength [CWE-326]

CVE Reference: *

CVSS Severity (version 2.0):

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Recommendation Details:

(1) Vendor & Product Description:

Vendor:

6kbbs

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

Vendor URL & download:

6kbbs can be gain from here,
http://www.6kbbs.com/download.html

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user’s preferred utility functions. Forum Technical realization (a) interface : using XHTML + CSS structure, so the structure of the page , easy to modify the interface ; save the transmission static page code , greatly reducing the amount of data transmitted over the network ; improve the interface scalability , more in line with WEB standards, support Internet Explorer, FireFox, Opera and other major browsers. (b) Program : The ASP + ACCESS mature technology , the installation process is extremely simple , the environment is also very common.”

“(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b) Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent community forum process . The program is simple but not simple ; fast , small ; interface generous and good scalability ; functional and practical . pursue superiority , good interface , practical functions of choice for subscribers.”

(2) Vulnerability Details:

6kbbs web application has a computer security problem. It can be exploited by weak encryption attacks. The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Several 6kbbs products 0-day web cyber bugs have been found by some other bug hunter researchers before. 6kbbs has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the web securities have been published here.

Source Code:

<?php

if(empty($row)){

$extrow=$db->row_select_one(“users”,”username='{$username}'”);

if(!empty($extrow) && !empty($extrow[‘salt’])){

if(md5(md5($userpass).$extrow[‘salt’])==$extrow[‘userpass’]){

$row=$extrow;

$new_row[“userpass”]=$userpass_encrypt;

$new_row[“salt”]=””;

$db->row_update(“users”,$new_row,”id={$extrow[‘id’]}”);

}

Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16

We can see that “userpass” stored in cookie was encrypted using “$userpass” user password directly. And there is no “HttpOnly” attribute at all. Since md5 is used for the encryption, it is easy for hackers to break the encrypted message.

“The MD5 message-digest cryptography algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. Papers about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile, researchers focusing on it spread in Computer Science, Computer Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. The source code in RFC 1321 contains a “by attribution” RSA license.” (Wikipedia)

References:
http://seclists.org/fulldisclosure/2015/Jun/34
http://lists.openwall.net/full-disclosure/2015/06/11/6
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02160.html
https://packetstormsecurity.com/files/132270/6kbbs-7.1-8.0-Weak-Cryptography.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2092
http://tetraph.blog.163.com/blog/static/234603051201551415853846/#
https://mathfas.wordpress.com/2015/06/14/6kbbs-weak-encryption/
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://vulnerabilitypost.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/
http://www.inzeed.com/kaleidoscope/computer-security/6kbbs-v8-0-weak-encryption/

Rakuten Website Search Page XSS (cross site scripting) Web Security Vulnerability

Posted by WhiteHole

Rakuten Website Search Page XSS (cross site scripting) Web Security Vulnerability

Domain:
http://www.rakuten.de/

“Rakuten, Inc. (楽天株式会社 Rakuten Kabushiki-gaisha?) is a Japanese electronic commerce and Internet company based in Tokyo, Japan. Its B2B2C e-commerce platform Rakuten Ichiba is the largest e-commerce site in Japan and among the world’s largest by sales. Hiroshi Mikitani founded the company in February 1997 as MDM, Inc., and is still its chief executive. Rakuten Shopping Mall (楽天市場 Rakuten Ichiba?) started operations in May 1997. In June 1999, the company changed its name to Rakuten, Inc. The Japanese word rakuten means optimism. In 2012, the company’s revenues totaled US$4.6 billion with operating profits of about US$244 million. In June 2013, Rakuten, Inc. reported it had a total of 10,351 employees worldwide. In 2005, Rakuten started expanding outside Japan, mainly through acquisitions and joint ventures. Its acquisitions include Buy.com (now Rakuten.com Shopping in the US), Priceminister (France), Ikeda (now Rakuten Brasil), Tradoria (now Rakuten Deutschland), Play.com (UK), Wuaki.tv (Spain), and Kobo Inc. (Canada). The company has investments in Pinterest, Ozon.ru, AHA Life, and Daily Grommet.” (Wikipedia)

The Alexa rank of rakuten.co.jp is 64 on May 29 2015. It is the second toppest Japanese local sevice website.

(1) Vulnerability description:

Rakuten has a computer cyber security bug problem. It is vulnerable to XSS attacks. Here is the description of XSS: “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.” (OWSAP)

The program code flaw occurs at “q” parameter in at “suchen/asd/?” pages, i.e.
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=reddit_nice_music_news

The vulnerability can be attacked without user login. Tests were performed on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The bugs found by using CSXDS.

Vulnerable URLs:
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment

POC Code:
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment‘ /”><img src=x onerror=prompt(/justqdjing/)>

Poc Video:
https://www.youtube.com/watch?v=FK7nmuRupJI

Blog Details:
http://tetraph.com/security/website-test/rakuten-website-xss/
http://computerobsess.blogspot.com/2015/06/rakuten-website-xss.html
https://itswift.wordpress.com/2015/06/11/rakuten-website-xss/
http://diebiyi.com/articles/security/xss-vulnerability/rakuten-website-xss/
http://www.inzeed.com/kaleidoscope/xss-vulnerability/rakuten-website-xss/
http://whitehatpost.blog.163.com/blog/static/242232054201551122837178/
https://webtechwire.wordpress.com/2015/06/11/rakuten-website-xss/
http://japanbroad.blogspot.jp/2015/06/rakuten-xss.html

Vulnerability Disclosure:
Those vulnerabilities are patched now.

===

楽天ウェブ検索ページXSS（クロスサイトスクリプティング）のWebセキュリティ脆弱性

ドメイン：
http://www.rakuten.de/

“楽天株式会社（らくてん、英: Rakuten, Inc.）は、ネットショッピングなどのインターネットサービスを運営している[日本の企業である。1997年に現会長兼社長の三木谷浩史が創業した。インターネットショッピングモール「楽天市場」や総合旅行サイト「楽天トラベル」、ポータルサイト「インフォシーク」の運営その他ECサイトの運営を行う。東京証券取引所第一部上場企業（証券コード:4755）。グループ会員は9,977万人。” (ja.wikipedia.org)

（1）脆弱性の説明：

rakuten.deは、コンピュータのサイバーセキュリティバグの問題があります。これは、XSS攻撃に対して脆弱です。ここでXSSの説明です：「クロスサイトスクリプティング（XSS）攻撃は、悪意のあるスクリプトがそうでなければ良性と信頼できるWebサイトに注入された注入の種類、ある攻撃者が悪意のあるコードを送信するために、Webアプリケーションを使用する際にXSS攻撃が発生しました。、一般的にブラウザ側スクリプトの形で、別のエンドユーザーに。これらの攻撃が成功することを可能に傷はかなり普及しているWebアプリケーションはそれを検証するか、エンコードせずに生成する出力内のユーザからの入力を使用して任意の場所に発生します。」（OWSAP）

プログラムコードの欠陥は、に “Q”パラメータで発生する「suchen / ASD /？ “ページ、すなわち、
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=reddit_nice_music_news

この脆弱性は、ユーザのログインなしで攻撃される可能性があります。テストはWindows 7でのUbuntu（14.04）とIE（8.0。7601）にはFirefox（37.02）で行いました。

脆弱なURL：
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment

POCコード：
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment ‘/ “> <IMG SRC = x onerror = alert（/ tetraph /）>

脆弱性の公開：
これらの脆弱性は、現在パッチが適用されます。

発見し、レポーター：
王ジン (Wang Jing)、数理科学研究部門（MAS）、物理的および数理科学科（SPMS）、南洋理工大学（NTU）、シンガポール。（@justqdjing）
http://www.tetraph.com/wangjing

POCビデオ：
https://www.youtube.com/watch?v=FK7nmuRupJI

詳細:
http://tetraph.com/security/website-test/rakuten-website-xss/
http://computerobsess.blogspot.com/2015/06/rakuten-website-xss.html
https://itswift.wordpress.com/2015/06/11/rakuten-website-xss/
http://diebiyi.com/articles/security/xss-vulnerability/rakuten-website-xss/
http://www.inzeed.com/kaleidoscope/xss-vulnerability/rakuten-website-xss/
http://whitehatpost.blog.163.com/blog/static/242232054201551122837178/
https://webtechwire.wordpress.com/2015/06/11/rakuten-website-xss/
http://japanbroad.blogspot.jp/2015/06/rakuten-xss.html

CVE-2015-2243 Webshop hun v1.062S Directory Traversal Web Security Vulnerabilities

Posted by WhiteHole

CVE-2015-2243 Webshop hun v1.062S Directory Traversal Web Security Vulnerabilities

Exploit Title: CVE-2015-2243 Webshop hun v1.062S /index.php &mappa Parameter Directory Traversal Web Security Vulnerabilities

Product: Webshop hun

Vendor: Webshop hun

Vulnerable Versions: v1.062S

Tested Version: v1.062S

Advisory Publication: March 01, 2015

Latest Update: April 28, 2015

Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) [CWE-22]

CVE Reference: CVE-2015-2243

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Credit: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Introduction Details:

(1) Vendor & Product Description:

Vendor:

Webshop hun

Product & Version:

Webshop hun

v1.062S

Vendor URL & Download:

Webshop hun can be required from here,

http://www.webshophun.hu/index

Product Introduction Overview:

Webshop hun is an online product sell web application system.

“If our webshop you want to distribute your products, but it is too expensive to find on the internet found solutions, select the Webshop Hun shop program and get web store for free and total maker banner must display at the bottom of the page 468×60 size. The download shop program, there is no product piece limit nor any quantitative restrictions, can be used immediately after installation video which we provide assistance.

“The Hun Shop store for a free for all. In our experience, the most dynamic web solutions ranging from our country. If the Webshop Hun own image does not suit you, you can also customize the look of some of the images and the corresponding text replacement, or an extra charge we can realize your ideas. The Webshop Hun pages search engine optimized. They made the Hun Shop web program to meet efficiency guidelines for the search engines. The pages are easy to read and contain no unnecessary HTML tags. Any web page is simply a few clicks away.”

(2) Vulnerability Details:

Webshop hun web application has a computer security bug problem. It can be exploited by Directory Traversal – Local File Include (LFI) attacks. A local file inclusion (LFI) flaw is due to the script not properly sanitizing user input, specifically path traversal style attacks (e.g. ‘../../’) supplied to the parameters. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host or from a remote host . This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. Webshop hun has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to website vulnerabilities.

(2.1) The vulnerability occurs at “&mappa” parameter in “index.php?” page.

References:

http://tetraph.com/security/directory-traversal-vulnerability/webshop-hun-v1-062s-directory-traversal-security-vulnerabilities/

http://securityrelated.blogspot.sg/2015/03/webshop-hun-v1062s-directory-traversal.html

http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html

http://marc.info/?l=full-disclosure&m=142551569801614&w=4

http://lists.openwall.net/full-disclosure/2015/03/05/5

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01902.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1666

http://seclists.org/fulldisclosure/2015/Mar/26

http://lists.kde.org/?a=139222176300014&r=1&w=2

http://webcabinet.tumblr.com/post/118677916572/cve-2015-2243-webshop-hun-v1-062s-directory

https://computerpitch.wordpress.com/2015/05/11/cve-2015-2243-webshop-hun-v1-062s-directory-traversal-web-security-vulnerabilities/

http://www.covertredirect.com/tech/

https://plus.google.com/+essayjeans/posts/4yoeMytdEKx

http://whitehatpost.blog.163.com/blog/static/242232054201541122051794/

http://user.qzone.qq.com/2519094351/blog/1431325305

https://www.facebook.com/permalink.php?story_fbid=734394456671300&id=660347734075973

http://germancast.blogspot.de/2015/05/cve-2015-2243-webshop-hun-v1062s.html

https://twitter.com/essayjeans/status/597645566760226816

http://ittechnology.lofter.com/post/1cfbf60d_6eb449f

Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities

Posted by WhiteHole

Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities

Exploit Title: Feed2JS v1.7 magpie_debug.php? &url parameter XSS Security Vulnerabilities

Product: Feed2JS

Vendor: feed2js.org

Vulnerable Versions: v1.7

Tested Version: v1.7

Advisory Publication: May 09, 2015

Latest Update: May 09, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Proposition Details:

(1) Vendor & Product Description:

Vendor:

feed2js.org

Product & Vulnerable Versions:

Feed2JS

v1.7

Vendor URL & Download:

Feed2JS can be downloaded from here,

https://feed2js.org/index.php?s=download

Source code:

http://www.gnu.org/licenses/gpl.html

Product Introduction Overview:

“What is “Feed to JavaScript? An RSS Feed is a dynamically generated summary (in XML format) of information or news published on other web sites- so when the published RSS changes, your web site will be automatically changed too. It is a rather simple technology that allows you, the humble web page designer, to have this content displayed in your own web page, without having to know a lick about XML! Think of it as a box you define on your web page that is able to update itself, whenever the source of the information changes, your web page does too, without you having to do a single thing to it. This Feed2JS web site (new and improved!) provides you a free service that can do all the hard work for you– in 3 easy steps:

Find the RSS source, the web address for the feed.

Use our simple tool to build the JavaScript command that will display it

Optionally style it up to look pretty.

Please keep in mind that feeds are cached on our site for 60 minutes, so if you add content to your RSS feed, the updates will take at least an hour to appear in any other web site using Feed2JS to display that feed. To run these scripts, you need a web server capable of running PHP which is rather widely available (and free). You will need to FTP files to your server, perhaps change permissions, and make some basic edits to configure it for your system. I give you the code, getting it to work is on your shoulders. I will try to help, but cannot always promise answers.”

(2) Vulnerability Details:

Feed2JS web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other Feed2JS products 0-day vulnerabilities have been found by some other bug hunter researchers before. Feed2JS has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to XSS vulnerabilities.

(2.1) The first programming code flaw occurs at “&url” parameter in “magpie_debug.php?” page.

References:

http://www.tetraph.com/security/xss-vulnerability/feed2js-v1-7-xss/

http://securityrelated.blogspot.com/2015/05/feed2js-v17-xss-cross-site-scripting.html

http://www.inzeed.com/kaleidoscope/computer-web-security/feed2js-v1-7-xss/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/feed2js-v1-7-xss/

https://vulnerabilitypost.wordpress.com/2015/05/08/feed2js-v1-7-xss/

http://whitehatpost.blog.163.com/blog/static/24223205420154810359682/

https://progressive-comp.com/?l=full-disclosure&m=142907534026807&w=2

https://www.bugscan.net/#!/x/21291

http://bluereader.org/article/27452996

http://lists.openwall.net/full-disclosure/2015/04/15/4

Artnana Webboard version 1.4 XSS (Cross-site Scripting) Web Security Vulnerabilities

Posted by WhiteHole

Artnana Webboard version 1.4 XSS (Cross-site Scripting) Web Security Vulnerabilities

Exploit Title: Artnana Webboard version 1.4 Multiple XSS Security Vulnerabilities

Product: Webboard

Vendor: Artnana

Vulnerable Versions: version 1.4

Tested Version: version 1.4

Advisory Publication: May 09, 2015

Latest Update: May 09, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Proposition Details:

(1) Vendor & Product Description:

Vendor:

Artnana

Product & Vulnerable Versions:

Webboard

version 1.4

Vendor URL & Download:

Webboard can be obtained from here,

http://www.artnana.com/web-d.php

Product Introduction Overview:

“Webboard is Thailand IT company that provide software service. Webboard can make your website easier and convenience. WebBoard is a discussion board where you post messages and participate in discussions with the other people in the course.”

(2) Vulnerability Details:

Artnana Webboard web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other Artnana products 0-day vulnerabilities have been found by some other bug hunter researchers before. Artnana has patched some of them. FusionVM® Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to XSS vulnerabilities.

(2.1) The first programming code flaw occurs at “&keyword” parameter in “search_topic.php?” page.

(2.2) The second programming code flaw occurs at “&keyword” parameter in “search_products.php” page.

References:

http://www.tetraph.com/security/xss-vulnerability/artnana-webboard-version-1-4-xss/

http://securityrelated.blogspot.com/2015/05/artnana-webboard-version-14-xss-cross.html

http://www.inzeed.com/kaleidoscope/computer-web-security/artnana-webboard-version-1-4-xss/

https://vulnerabilitypost.wordpress.com/2015/05/08/artnana-webboard-version-1-4-xss/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/artnana-webboard-version-1-4-xss/

http://whitehatpost.blog.163.com/blog/static/24223205420154895051990/#

https://progressive-comp.com/?a=139222176300014&r=1&w=1

https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm&TabId=0&Lang=en-US&OU=0&ItemId=44831

https://www.bugscan.net/#!/x/21221

http://bluereader.org/article/30765597

MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security Vulnerabilities

Posted by WhiteHole

MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security Vulnerabilities

Exploit Title: MT.VERNON MEDIA Web-Design v1.12 “gallery.php?” &category parameter HTML Injection Security Vulnerabilities

Product: Web-Design v1.12

Vendor: MT.VERNON MEDIA

Vulnerable Versions: v1.12

Tested Version: v1.12

Advisory Publication: May 08, 2015

Latest Update: May 08, 2015

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Proposition Details:

(1) Vendor & Product Description:

Vendor:

MT.VERNON MEDIA

Product & Vulnerable Versions:

Web-Design

v1.12

Vendor URL & Download:

MT.VERNON MEDIA can be obtained from here,

http://www.mtvernonmedia.com/services/WebDesign.html

Google Dork:

“developed by: Mt. Vernon Media”

Product Introduction Overview:

“In today’s economy every business is more focused on ROI (Return On Investment) than ever before. We’ll help you ensure a solid ROI for your website, not only making it effective and easy to use for your clients, but helping you to drive traffic to your site and ensuring effective content and design to turn traffic into solid leads, sales, or repeat customers. We offer custom design and development services tailored to your needs and specifications drawn up jointly with you to ensure that the appropriate technology is leveraged for optimum results, creating a dynamic and effective design, based on market effectiveness and user-friendly design standards. Our developers are experts in web application development using various programming languages including Perl, SQL, C, C+, and many other back-end programming languages, as well as database integration. For a view of some of your past projects, take a look at our list of clients. We handle custom development of your Internet project from conception through publication:

Internet & Intranet sites

Design concepts, layouts, and specifications

Intuitive Graphical User Interface (GUI) design

Dynamic navigation design

Creation and manipulation of graphical design elements

GIF Animation

Flash development

HTML hand-coding and debugging

JavaScript for interactivity and error-checking

ASP (Active Server Pages)

Customized Perl CGI scripts (mailing lists, form submission, etc)

Customized application development in varied programming languages

Site publication and promotion

On-going updating and maintenance

Banner ads”

(2) Vulnerability Details:

MT.VERNON MEDIA web application has a computer security bug problem. It can be exploited by stored HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Several other MT.VERNON MEDIA products 0-day vulnerabilities have been found by some other bug hunter researchers before. MT.VERNON MEDIA has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, solutions details related to HTML vulnerabilities.

(2.1) The first programming code flaw occurs at “&category” parameter in “gallery.php?” page.

References:

http://www.tetraph.com/security/html-injection/mt-vernon-media-web-design-v1-12-html-injection/

http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-html.html

http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-html-injection/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/mt-vernon-media-web-design-v1-12-html-injection/

https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-html-injection/

http://whitehatpost.blog.163.com/blog/static/24223205420154893850881/

https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=2

https://www.bugscan.net/#!/x/21454

http://seclists.org/fulldisclosure/2015/Apr/37

http://lists.openwall.net/full-disclosure/2015/04/15/3

Computer & Web Vulnerabilities

– Topics Related to IT Information Security

Web Security

Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem

CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

Rakuten Website Search Page XSS (cross site scripting) Web Security Vulnerability

CVE-2015-2243 Webshop hun v1.062S Directory Traversal Web Security Vulnerabilities

Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities

Artnana Webboard version 1.4 XSS (Cross-site Scripting) Web Security Vulnerabilities

MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security Vulnerabilities