Daily Mail Online Website XSS Cyber Security Zero-Day Vulnerability

Daily Mail Online Website XSS Cyber Security Zero-Day Vulnerability



Website Description:
“The Daily Mail is a British daily middle-market tabloid newspaper owned by the Daily Mail and General Trust. First published in 1896 by Lord Northcliffe, it is the United Kingdom’s second biggest-selling daily newspaper after The Sun. Its sister paper The Mail on Sunday was launched in 1982. Scottish and Irish editions of the daily paper were launched in 1947 and 2006 respectively. The Daily Mail was Britain’s first daily newspaper aimed at the newly-literate “lower-middle class market resulting from mass education, combining a low retail price with plenty of competitions, prizes and promotional gimmicks”, and was the first British paper to sell a million copies a day. It was at the outset a newspaper for women, the first to provide features especially for them, and as of the second-half of 2013 had a 54.77% female readership, the only British newspaper whose female readers constitute more than 50% of its demographic. It had an average daily circulation of 1,708,006 copies in March 2014. Between July and December 2013 it had an average daily readership of approximately 3.951 million, of whom approximately 2.503 million were in the ABC1 demographic and 1.448 million in the C2DE demographic. Its website has more than 100 million unique visitors per month.” (Wikipedia)

 

Domain Name:
http://www.dailymail.co.uk/

The Alexa rank of it is 93 on January 01 2015. It is one of the most popular websites in the United Kingdom.

 

dailymail_uk_xss

 

(1) Vulnerability description:

Daily Mail has a security problem. Criminals can exploit it by XSS attacks.

The vulnerability occurs at “reportAbuseInComment.html?” page with “&commentId” parameter, i.e.
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038

 

 

POC Code:

http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=”><img src=x onerror=prompt(‘justqdjing’)>

The vulnerability can be attacked without user log in. Tests were performed on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.

 

Poc Video:
https://www.youtube.com/watch?v=Oig-ZrlJDf8&feature=youtu.be

 

Blog Detail:
http://tetraph.com/security/web-security/daily-mail-xss-bug/
http://securityrelated.blogspot.com/2015/10/daily-mail-online-website-xss-cyber.html
https://vulnerabilitypost.wordpress.com/2015/10/30/daily-mail-xss/

 

(2) What is XSS?

“Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.” (Wikipedia)

 

 

 

(3) Vulnerability Disclosure:

This vulnerability has been patched.

 

 

 

Discoved and Disclosured By:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

 

 

 

 

Reference:
https://packetstormsecurity.com/files/134189/Daily-Mail-Unvalidated-Redirect
http://news.softpedia.com/news/the-telegraph-and-daily-mail-fix-xss
https://www.secnews.gr/dailymail_open_redirect_bug
http://whitehatview.tumblr.com/post/132726489926/daily-mail-xss
http://sys-secure.es/daily-mail-registration-page-unvalidated
http://itsecuritynews.info/tag/jing-wang/
http://itsecurity.lofter.com/post/1cfbf9e7_8d45d6b
http://computerobsess.blogspot.com/2015/11/daily-mail-xss.html
https://computertechhut.wordpress.com/2015/11/04/daily-mail-xss/
http://marc.info/?l=full-disclosure&m=144651836427184&w=4

Advertisements

VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug

VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug

 

Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web Security Vulnerability

Product: VuFind

Vendor: VuFind

Vulnerable Versions: 1.0

Tested Version: 1.0

Advisory Publication: September 20, 2015

Latest Update: September 25, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

mnpals_net_vufind_xss2

 

vufind_cmu_xss1




Caution Details:

 

(1) Vendor & Product Description:



Vendor:

VuFind

 

Product & Vulnerable Versions:

VuFind

1.0

 

Vendor URL & Download:

Product can be obtained from here,
http://sourceforge.net/p/vufind/news/

 

Product Introduction Overview:

“VuFind is a library resource portal designed and developed for libraries by libraries. The goal of VuFind is to enable your users to search and browse through all of your library’s resources by replacing the traditional OPAC to include: Catalog Records, Locally Cached Journals, Digital Library Items, Institutional Repository, Institutional Bibliography, Other Library Collections and Resources. VuFind is completely modular so you can implement just the basic system, or all of the components. And since it’s open source, you can modify the modules to best fit your need or you can add new modules to extend your resource offerings. VuFind runs on Solr Energy. Apache Solr, an open source search engine, offers amazing performance and scalability to allow for VuFind to respond to search queries in milliseconds time. It has the ability to be distributed if you need to spread the load of the catalog over many servers or in a server farm environment. VuFind is offered for free through the GPL open source license. This means that you can use the software for free. You can modify the software and share your successes with the community! Take a look at our VuFind Installations Wiki page to see how a variety of organizations have taken advantage of VuFind’s flexibility. If you are already using VuFind, feel free to edit the page and share your accomplishments. “

 

 

 

(2) Vulnerability Details:

VuFind web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. VuFind has patched some of them. “scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training”.

 

(2.1) The code flaw occurs at “lookfor?” parameter in “/vufind/Resource/Results?” page.

 

Some other researcher has reported a similar vulnerability here and VuFind has patched it.
https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html

 

 

 

(3) Solution:

Update to new version.

 

 

 

 

References:
http://tetraph.com/security/xss-vulnerability/vufind-xss/
http://russiapost.blogspot.ru/2015/09/vufind-xss-issue.html
https://infoswift.wordpress.com/2015/09/25/vufind-issue/
http://www.openwall.com/lists/oss-security/2015/09/25/2
http://whitehatview.tumblr.com/post/129834589981/vufind-xss-bugs
http://itsecurity.lofter.com/post/1cfbf9e7_854cb25
https://progressive-comp.com/?l=oss-security&m=144316469829656&w=1
http://essayjeans.blog.163.com/blog/static/23717307420158253407863/
http://seclists.org/oss-sec/2015/q3/639
http://frenchairing.blogspot.fr/2015/09/vufind-bug.html
https://itswift.wordpress.com/2015/09/22/vufind-0day/
http://permalink.gmane.org/gmane.comp.security.oss.general/17836

 

 

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

fc2_com_2

 

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

 

Domain:
fc2.com

“FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third most popular video hosting service in Japan (after YouTube and Niconico), and a web hosting company headquartered in Las Vegas, Nevada. It is the sixth most popular website in Japan overall (as of January 2014). FC2 is an abbreviation of “Fantastic Kupi-Kupi (クピクピ)”. It is known to allow controversial adult content such as pornography and hate speech (unlike many of its competitors). The company uses rented office space for its headquarters which it shares with many other U.S.-based businesses. It also pays taxes in the United States. The physical servers are located in the United States. However, it is believed that the majority of the company and its users (including employees) are located within Japan” (Wikipedia)

 

The Alexa rank of fc2.com is 52 on February 18 2015. It is the toppest Japanese local website sevice.

 

 

 

(1) Vulnerability Description:

FC2 online web service has a computer cyber security bug problem. It can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.” One consequences of it is Phishing. (OWASP)

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

 

In fact, during the test, it is not hard to find URL Redirection bugs in FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities. These bugs were found by using URFDS.

 

 

 

(2) Use one of webpages for the following tests. The webpage address is “http://securitypost.tumblr.com/“. Can suppose that this webpage is malicious.

 

 

Vulnerability Disclosure:
Those vulnerabilities were reported to Rakuten, they are still unpatched.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

==================

 

 

 

FC2オンラインWebサービスオープンリダイレクト(未検証のリダイレクトとフォワード)サイバー·セキュリティの脆弱性

 

ドメイン:
fc2.com

(1999年7月20日に設立)」FC2は、日本の人気ブログのホスト、(YouTubeやニコニコ後)は、日本で3番目に人気のビデオホスティングサービス、およびラスベガス、ネバダ州に本社を置くウェブホスティング会社です。それは第六最も人気のあります日本のウェブサイトは、全体的な。(2014年1月のように)FC2はの略で、「ファンタスティックKupi-Kupi(クピクピ)」。このようなポルノのような論争のアダルトコンテンツを許可し、(競合他社の多くとは異なり)スピーチを憎むことが知られています。」 (ウィキペディア)

 

fc2.comのAlexaのランクはそれがtoppest日本のローカルウェブサイトの流通サービスである2月18日2015年52あります。

 

 

 

(1)脆弱性の説明:

FC2オンラインWebサービスは、コンピュータのサイバーセキュリティバグの問題があります。それは、オープンリダイレクト(未検証のリダイレクトとフォワード)攻撃によって悪用される可能性があります。ここでオープンリダイレクトの説明は次のとおりです。「オープンリダイレクトがパラメータを受け取り、何の検証も行わずにパラメータ値にユーザーをリダイレクトするアプリケーションです。この脆弱性は、それを実現することなく、悪質なサイトを訪問するユーザーを取得するためにフィッシング攻撃で使用されています。。 “それの一つの結果はフィッシングで​​す。 (OWASP)

 

プログラムコードの欠陥は、ユーザのログインなしで攻撃される可能性があります。テストは、Windows 7のMicrosoftのIE(9 9.0.8112.16421)で行われた、Mozilla Firefoxの(37.0.2)&グーグルクロム42.0.2311のUbuntuの(64ビット)(14.04.2)はMac OSのアップルのSafari 6.1.6 X v10.9マーベリックス。

 

実際には、テスト時には、FC2内のURLリダイレクトのバグを見つけることは難しいことではありません。多分fc2.comは、これらの脆弱性を軽減するためにはほとんど注意を払っています。

 

 

 

(2)以下の試験のためのWebページのいずれかを使用します。ウェブページアドレスは「http://securitypost.tumblr.com/」です。このウェブページに悪意であるとすることができます。

 

 

脆弱性の公開:
これらの脆弱性は楽天に報告された、彼らはまだパッチを適用していないです。

 

 

発見し、レポーター:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (@justqdjing
http://www.tetraph.com/wangjing

FC2 fc2.com Online Website URLs XSS (cross site scripting) Vulnerabilities (All URLs Under Domain blog.fc2.com/tag)

fki_21

 
FC2 fc2.com Online Website URLs XSS (cross site scripting) Vulnerabilities (All URLs Under Domain blog.fc2.com/tag)

 

Domain:
blog.fc2.com/

“FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third most popular video hosting service in Japan (after YouTube and Niconico), and a web hosting company headquartered in Las Vegas, Nevada. It is the sixth most popular website in Japan overall (as of January 2014). FC2 is an abbreviation of “Fantastic Kupi-Kupi (クピクピ)”. It is known to allow controversial adult content such as pornography and hate speech (unlike many of its competitors). The company uses rented office space for its headquarters which it shares with many other U.S.-based businesses. It also pays taxes in the United States. The physical servers are located in the United States. However, it is believed that the majority of the company and its users (including employees) are located within Japan” (Wikipedia)

 

The Alexa rank of fc2.com is 52 on February 18 2015. It is the toppest Japanese local website sevice.

 

 

fc2_blog_xss1

 

 

fc2_blog_xss2

 

 

 

(1) Vulnerability description:

FC2 has a computer cyber security bug problem. It is vulnerable to XSS attacks. Here is the description of XSS: “Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.” (Acunetix)

 

The programming code flaw occurs at fc2 URLs’ filenames . Fc2 only filter part of the filenames in the urls. Almost all urls are affected under domain blog.fc2.com/tag are affected. i.e.
http://blog.fc2.com/tag/drug/
http://blog.fc2.com/tag//アメリカ/
http://blog.fc2.com/tag/tag/翻訳
http://blog.fc2.com/tag//>レシピブログに参加中♪

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (37.02) in Ubuntu (14.04) and IE (9.0.15) in Windows 7. The bugs found by using CSXDS.

 

POC Code:
http://blog.fc2.com/tag/drug//“><img src=x onerror=prompt(‘justqdjing’)>
http://blog.fc2.com/tag//アメリカ//“><img src=x onerror=prompt(‘justqdjing’)>
http://blog.fc2.com/tag/tag/翻訳//“><img src=x onerror=prompt(‘justqdjing’)>
http://blog.fc2.com/tag//>レシピブログに参加中//”><img src=x onerror=prompt(‘justqdjing’)>

 

 

 

Vulnerability Disclosure:
Those vulnerabilities were reported to rakuten-cert@rakuten.co.jp in 2014. No one replied. Until now, they are still unpatched.

 

 

Bug Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

=================================

 

 

FC2 fc2.comオンラインのウェブサイトのURL XSS(クロスサイトスクリプティング)脆弱性(ドメインblog.fc2.com/tag下にあるすべてのURL)

 

ドメイン:
blog.fc2.com/

“FC2(エフシーツー)は、アメリカ合衆国ネバダ州ラスベガスに本社を置く、Webサービスおよびホスティングサービスを展開する企業。日本を中心に事業展開を行なっている。社名のFC2は「ファンタスティック・クピ・クピ」の略であるとしている。 会社の代表者は、設立当初から2008年までは日本人の高橋理洋(CEO)が務めたが、2009年からMaurice Bannon、2012年にはLance Wolff Kerness、2014年はDEREK G ROWLEYが務めている。” (ja.wikipedia.org)

 

 

(1)脆弱性の説明:

FC2は、コンピュータのサイバーセキュリティバグの問題があります。これは、XSS攻撃に対して脆弱です。ここでXSSの説明は次のとおりです。「ハッカーは常にWebサイトやWebアプリケーションを侵害し、クレジットカード番号、社会保障番号、さらには医療記録などの機密データの宝庫でオフにする技術をハッキングの幅広いレパートリーで実験されている4クロス。サイトスクリプティングは、(また、XSSやCSSとして知られる)は、一般のVBScript、ActiveXの、HTML、またはFlashはに対して脆弱動的ページに、攻撃者が悪意のあるJavaScriptを埋め込むことができ、最も一般的なアプリケーション層ハッキング技術クロスサイトスクリプティングの一つであると考えられていますデータを収集するために、自分のマシン上でスクリプトを実行して、ユーザーをだます。XSSの使用が有効なユーザーの方に誤解されるか、または最後に悪質なコードを実行できる要求を作成し、操作したり、クッキーを盗む、個人情報を危険にさらす可能性があります-userシステムでは、データは通常、悪質なコンテンツを含むハイパーリンクとしてフォーマットされ、インターネット上の任意の可能な手段を介して配布されています。」 (会社のAcunetix)

 

プログラミングコードの欠陥は、FC2のURL」のファイル名で発生します。 FC2は、URLだけでファイル名の一部をフィルタリングします。ほぼすべてのURLが影響を受けますblog.fc2.com/tagドメインの下に影響を受けています。すなわちhttp://blog.fc2.com/tag/drug/
http://blog.fc2.com/tag//アメリカ/
http://blog.fc2.com/tag/tag/翻訳
http://blog.fc2.com/tag//>レシピブログに参加中♪

 

この脆弱性は、ユーザのログインなしで攻撃される可能性があります。試験は、Windows 7でのUbuntuでのFirefox(37.02)(14.04)およびIE(9.0.15)で行いました。

 

 

POCコード:
http://blog.fc2.com/tag/drug//“><img SRC = X onerror = alert( ‘justqdjing’)>
http://blog.fc2.com/tag//アメリカ// “> <IMG src = X onerror = alert( ‘justqdjing’)>
http://blog.fc2.com/tag/tag/翻訳// “> <IMG src = X onerror = alert( ‘justqdjing’)>
http://blog.fc2.com/tag//>レシピブログに参加中// “> <IMG src = X onerror =alert( ‘justqdjing’)>

 

 

 

脆弱性の公開:
これらの脆弱性は誰も答えていない2014年にrakuten-cert@rakuten.co.jpすることが報告されました。今までは、彼らはまだパッチを適用していないです。

 

 

バグを発見:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (@justqdjing
http://www.tetraph.com/wangjing

Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities

rakuten_jp_1

 

Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities

 

Domain:
rakuten.com




“Rakuten, Inc. (楽天株式会社 Rakuten Kabushiki-gaisha?) is a Japanese electronic commerce and Internet company based in Tokyo, Japan. Its B2B2C e-commerce platform Rakuten Ichiba is the largest e-commerce site in Japan and among the world’s largest by sales. Hiroshi Mikitani founded the company in February 1997 as MDM, Inc., and is still its chief executive. Rakuten Shopping Mall (楽天市場 Rakuten Ichiba?) started operations in May 1997. In June 1999, the company changed its name to Rakuten, Inc. The Japanese word rakuten means optimism. In 2012, the company’s revenues totaled US$4.6 billion with operating profits of about US$244 million. In June 2013, Rakuten, Inc. reported it had a total of 10,351 employees worldwide. In 2005, Rakuten started expanding outside Japan, mainly through acquisitions and joint ventures. Its acquisitions include Buy.com (now Rakuten.com Shopping in the US), Priceminister (France), Ikeda (now Rakuten Brasil), Tradoria (now Rakuten Deutschland), Play.com (UK), Wuaki.tv (Spain), and Kobo Inc. (Canada). The company has investments in Pinterest, Ozon.ru, AHA Life, and Daily Grommet.” (Wikipedia)

 

The Alexa rank of rakuten.co.jp is 64 on May 29 2015. It is the second toppest Japanese local sevice website.




(1) Vulnerability Description:

Rakuten online website has a computer cyber security bug problem. It can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

 

Since know only a little Japanese, not sure whether Rakuten pays much attention to Open Redirect Vulnerabilities or not. These bugs were found by using URFDS.

 

 

 

(2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. Can suppose that this webpage is malicious.

 

Vulnerable URL 1:

POC Code:

 

Vulnerable URL 2:

POC Code:

 

Vulnerable URL 3:

POC Code:

 

 

Vulnerability Disclosure:

Those vulnerabilities are not patched now.

 

 

 

Bug Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

============

 

 

 

楽天オンラインサイトオープンリダイレクト(URLリダイレクション)サイバー·セキュリティの脆弱性

 

ドメイン:
rakuten.com




「楽天株式会社は、(楽天株式会社楽天株式会社-gaisha?)東京、日本に拠点を置く日本の電子商取引やインターネット企業です。そのB2B2Cの電子商取引プラットフォーム楽天市場は、日本最大の電子商取引サイトで、世界の中で販売による最大。三木谷浩史は、MDM、株式会社として1997年2月で会社を設立し、さらにその最高経営責任者(CEO)である。楽天ショッピングモール(楽天市場楽天市場?)1999年6月1997年5月で事業を開始し、同社は社名変更楽天株式会社に日本語ワード楽天楽観を意味している。2012年には、同社の売上高は、米国約US2.44億ドルの営業利益との46億ドルとなりました。2013年6月には、楽天株式会社は、それが世界中の10351名の従業員を有していたと報告した。で2005年、楽天は、主に買収や合弁事業を通じて、日本国外で拡大し始めた。その買収は、Buy.com(米国で今Rakuten.comショッピング)、Priceminister(フランス)、池田(現楽天ブラジル)、Tradoria(今楽天ドイツ)が挙げられます、Play.com(英国)、Wuaki.tv(スペイン)、およびコボ(カナダ)。同社はPinterest、Ozon.ru、AHA生活、毎日のグロメットで投資を行っている。」(ウィキペディア)

 

rakuten.co.jpのAlexaのランクは、第2 toppest日本の地方流通サービスのウェブサイトである5月29日2015年64あります。





(1)脆弱性の説明:

楽天のオンラインウェブサイトは、コンピュータのサイバーセキュリティバグの問題があります。それは、オープンリダイレクト(未検証のリダイレクトとフォワード)攻撃によって悪用される可能性があります。ここでオープンリダイレクトの説明は次のとおりです。「Webアプリケーションは外部サイトへのリンクを指定するユーザ制御入力を受け付け、リダイレクトでそのリンクを使用しています。これは、フィッシング攻撃を簡素化HTTPパラメータがURL値が含まれており、可能性があります。。指定されたURLに要求をリダイレクトするようにWebアプリケーションを引き起こす。悪質なサイトへのURLの値を変更することにより、攻撃者がフィッシング詐欺を起動し、ユーザーの資格情報を盗むことができる。変更されたリンク内のサーバー名が、元のサイトと同じであるため、フィッシングの試みは、より信頼性の高い外観を持っています。」 (CWEから)

 

プログラムコードの欠陥は、ユーザのログインなしで攻撃される可能性があります。テストは、Windows 7のMicrosoftのIE(9 9.0.8112.16421)で行われた、Mozilla Firefoxの(37.0.2)&グーグルクロム42.0.2311のUbuntuの(64ビット)(14.04.2)はMac OSのアップルのSafari 6.1.6 X v10.9マーベリックス。

 

楽天リダイレクトの脆弱性かどうかを開くために多くの注意を払っているかどうかわからない、少しだけ日本語を知っているので。

 




 

 

 

(2)以下の試験のためのWebページのいずれかを使用します。ウェブページアドレスは「http://itinfotech.tumblr.com/」です。このウェブページに悪意であるとすることができます。

 

脆弱URL 1:

POCコード:

 

脆弱URL 2:

POCコード:

 

脆弱URL 3:

POCコード:

 

 

脆弱性の公開:

これらの脆弱性は、現在パッチが適用されていません。

 

 

 

バグを発見:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (@justqdjing
http://www.tetraph.com/wangjing



CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

cit_e_net
 

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

Instruction Details:

(1) Vendor & Product Description:




Vendor:

Cit-e-Net

 

 

Product & Version:

Cit-e-Access

Version 6

 

 

Vendor URL & Download:

Cit-e-Net can be downloaded from here,

 

 

Product Introduction:

“We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.


Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It’s your choice! Please contact us at info@cit-e.net to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services.


Interactive Applications

Online Service Requests

Online Tax Payments by ACH electronic-check or credit card.

Online Utility Payments by ACH electronic-check or credit card.

Online General-Payments by ACH electronic-check or credit card.

Submit Volunteer Resume’s Online for the municipality to match your skills with available openings.”

 

 

 

(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities.

 

 

(2.1) The first programming code flaw occurs at “/eventscalendar/index.cfm?” page with “&DID” parameter in HTTP GET.

(2.2) The second programming code flaw occurs at “/search/index.cfm?” page with “&keyword” parameter in HTTP POST.

(2.3) The third programming code flaw occurs at “/news/index.cfm” page with “&jump2” “&DID” parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at “eventscalendar?” page with “&TPID” parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at “/meetings/index.cfm?” page with “&DID” parameter in HTTP GET.

 

 

 

 

(3) Solutions:

Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm

 

 

 

 

 

References:
http://seclists.org/fulldisclosure/2015/Feb/48
http://lists.openwall.net/full-disclosure/2015/02/13/2
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1587
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01683.html
https://computerpitch.wordpress.com/2015/06/07/cve-2014-8753/
http://webtechhut.blogspot.com/2015/06/cve-2014-8753.html
https://www.facebook.com/websecuritiesnews/posts/804176613035844
https://twitter.com/tetraphibious/status/607381197077946368
http://biboying.lofter.com/post/1cc9f4f5_7356826
http://shellmantis.tumblr.com/post/120903342496/securitypost-cve-2014-8753
http://itprompt.blogspot.com/2015/06/cve-2014-8753.html
http://whitehatpost.blog.163.com/blog/static/24223205420155710559404/
https://plus.google.com/u/0/113115469311022848114/posts/FomMK9BGGx2
https://www.facebook.com/pcwebsecurities/posts/702290949916825
http://securitypost.tumblr.com/post/120903225352/cve-2014-8753-cit-e-net
http://webtech.lofter.com/post/1cd3e0d3_7355910
http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://diebiyi.com/articles/security/cve-2014-8753/

 

 

 

CVE-2014-4134 – phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities

phpwind_xss2

 

CVE-2014-4134 – phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities

 

Exploit Title: phpwind v8.7 goto.php? &url Parameter Open Redirect Security Vulnerabilities

Product: phpwind

Vendor: phpwind

Vulnerable Versions: v8.7

Tested Version: v8.7

Advisory Publication: May 25, 2015

Latest Update: May 25, 2015

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: CVE-2014-4134

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

phpwind

 

Product & Vulnerable Versions:

phpwind

v8.7

 

Vendor URL & Download:

Product can be obtained from here,

http://www.phpwind.net/thread/166

 

Product Introduction Overview:

“Today, the country’s 200,000 worth of small sites, there are nearly 100,000 community site uses phpwind, has accumulated more than one million sites use phpwind, there are 1,000 new sites every day use phpwind. These community sites covering 52 types of trades every day one million people gathered in phpwind build community, issued 50 million new information, visit more than one billion pages. National Day PV30 million or more in 1000 about a large community, there are more than 500 sites selected phpwind station software provided, including by scouring link Amoy satisfaction, a daily e-commerce and marketing groups, and other on-line product vigorously increase in revenue for the site. Excellent partners, such as Xiamen fish, of Long Lane, Erquan network, Kunshan forum, the North Sea 360, Huizhou West Lake, Huashang like.

phpwind recent focus on strengthening community media value, expand e-commerce applications community. phpwind focus on small sites to explore the value of integration and applications, we believe that the website that is community, the community can provide a wealth of applications to meet people access to information, communication, entertainment, consumer and other living needs, gain a sense of belonging, become online home . With the development of the Internet, in the form of the site will be more abundant, the integration of the Forum, more forms of information portals, social networking sites, we will integrate these applications to products which, and to create the most optimized user experience. phpwind mission is to make the community more valuable, so that more people enjoy the convenience of the Internet community in order to enhance the quality of life.”

 

 

 

(2) Vulnerability Details:

phpwind web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpwind has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishs suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

(2.1) The first programming code flaw occurs at “&url” parameter in “/goto.php?” page.

 

 

 

 

 

References:

http://www.tetraph.com/security/open-redirect/phpwind-v8-7-open-redirect/

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01741.html

https://itswift.wordpress.com/2015/05/24/phpwind-v8-7-open-redirect/

http://whitehatpost.blog.163.com/blog/static/242232054201542495731506/

http://cxsecurity.com/issue/WLB-2015030028

http://seclists.org/fulldisclosure/2015/Apr/35

http://www.openwall.com/lists/oss-security/2015/05/22/7

http://permalink.gmane.org/gmane.comp.security.oss.general/16883

https://www.facebook.com/websecuritiesnews/posts/796475067139332

http://computerobsess.blogspot.com/2015/05/phpwind-v87-open-redirect.html

http://lists.openwall.net/full-disclosure/2015/04/15/1

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1841