Tag Archives: IT News

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

14 Sunday Jun 2015

Posted by in 0day, CRLF, Web Application

Leave a comment

Tags

, , , , , , , , , , , , , , , ,

netcat_1

 

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

 

Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: March 07, 2015

Latest Update: March 07, 2015

Vulnerability Type: Improper Neutralization of CRLF Sequences (‘CRLF Injection’) [CWE-93]

CVE Reference: *

OSVDB Reference: 119342, 119343

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

Advisory Details:



(1) Vendor & Product Description:



Vendor:

NetCat

 

Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be got from here,

http://netcat.ru/

 

Product Introduction:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at “/post.php” page with “redirect_url” parameter by adding “%0d%0a%20”.

(2.2) The second code flaw occurs at “redirect.php?” page with “url” parameter by adding “%0d%0a%20”.

 

 

 

 

Reference:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

07 Sunday Jun 2015

Posted by in CVE, XSS

Leave a comment

Tags

, , , , , , , , , , , , , , , ,

18638880
 

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

Instruction Details:

(1) Vendor & Product Description:




Vendor:

Cit-e-Net

 

 

Product & Version:

Cit-e-Access

Version 6

 

 

Vendor URL & Download:

Cit-e-Net can be downloaded from here,

 

 

Product Introduction:

“We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.


Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It’s your choice! Please contact us at info@cit-e.net to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services.


Interactive Applications

Online Service Requests

Online Tax Payments by ACH electronic-check or credit card.

Online Utility Payments by ACH electronic-check or credit card.

Online General-Payments by ACH electronic-check or credit card.

Submit Volunteer Resume’s Online for the municipality to match your skills with available openings.”

 

 

 

(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities.

 

 

(2.1) The first programming code flaw occurs at “/eventscalendar/index.cfm?” page with “&DID” parameter in HTTP GET.

(2.2) The second programming code flaw occurs at “/search/index.cfm?” page with “&keyword” parameter in HTTP POST.

(2.3) The third programming code flaw occurs at “/news/index.cfm” page with “&jump2” “&DID” parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at “eventscalendar?” page with “&TPID” parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at “/meetings/index.cfm?” page with “&DID” parameter in HTTP GET.

 

 

 

 

(3) Solutions:

Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm

 

 

 

 

 

References:
http://seclists.org/fulldisclosure/2015/Feb/48
http://lists.openwall.net/full-disclosure/2015/02/13/2
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1587
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01683.html
https://computerpitch.wordpress.com/2015/06/07/cve-2014-8753/
http://webtechhut.blogspot.com/2015/06/cve-2014-8753.html
https://www.facebook.com/websecuritiesnews/posts/804176613035844
https://twitter.com/tetraphibious/status/607381197077946368
http://biboying.lofter.com/post/1cc9f4f5_7356826
http://shellmantis.tumblr.com/post/120903342496/securitypost-cve-2014-8753
http://itprompt.blogspot.com/2015/06/cve-2014-8753.html
http://whitehatpost.blog.163.com/blog/static/24223205420155710559404/
https://plus.google.com/u/0/113115469311022848114/posts/FomMK9BGGx2
https://www.facebook.com/pcwebsecurities/posts/702290949916825
http://securitypost.tumblr.com/post/120903225352/cve-2014-8753-cit-e-net
http://webtech.lofter.com/post/1cd3e0d3_7355910
http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://diebiyi.com/articles/security/cve-2014-8753/

 

 

 

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities

04 Saturday Apr 2015

Posted by in CVE, FPD, Information Leakage

Leave a comment

Tags

, , , , , , , , , , , , , , , , , , , , , ,

hacker-security

CVE-2015-2214 – NetCat CMS Full Path Disclosure (Information Disclosure) Web Security Vulnerabilities


Exploit Title: CVE-2015-2214 NetCat CMS Full Path Disclosure Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 5.01 3.12

Advisory Publication: February 27, 2015

Latest Update: May 05, 2015

Vulnerability Type: Information Leak / Disclosure [CWE-200]

CVE Reference: CVE-2015-2214

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information

Credit and Writer: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Consultation Details:


(1) Vendor & Product Description:

Vendor:

NetCat


Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1


Vendor URL & Download:

NetCat can be accessed from here,

http://netcat.ru/


Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”


“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”


“We give a discount on any edition NetCat

We try to help our partners to enter into a close-knit team. To reduce your expenses on the development of a new system, we provide special conditions for the acquisition of commercial licenses NetCat, for a partner is assigned a permanent discount of 40%, which according to the results of further sales could be increased to 60%.”


“Teach your developers work with the secrets NetCat

In addition to the detailed documentation and video tutorials to new partners we offer a unique free service – direct contact with the developer from the team NetCat, which will help in the development of product development tools.”


“We give customers

Once you develop the three sites NetCat information about you appear in our ranking developers. This means that you not only begin to receive direct requests from clients but also become a member of tenders conducted by customers. In addition, if the partner is really good work, employees NetCat begin recommending it to clients requesting assistance in the choice of contractor.”


“We will help in the promotion of

The company is a regular participant NetCat large number of forums, seminars and conferences. We are happy to organize together with partners involved, help with advertising materials and share information for the report.”


“Confirmed its status in the eyes of customers

We have a very flexible system of certification of partners: we do not give certificates for the sale of licenses and for the developed sites. So, for example, to obtain a certificate “Development of corporate websites’ to add to your personal account three implementation of the appropriate type.”

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by information leakage attacks – Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software’s installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Netcat has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to important vulnerabilities.

(2.1) The first programming code flaw occurs at “&redirect_url” parameter in “netshop/post.php?” page.

References:

http://tetraph.com/security/full-path-disclosure-vulnerability/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/netcat-cms-full-path-disclosure.html

http://seclists.org/fulldisclosure/2015/Mar/8

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01740.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1645

http://lists.openwall.net/full-disclosure/2015/03/02/6

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142527117510514&w=2

http://marc.info/?l=full-disclosure&m=142527117510514&w=4

https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-full-path-disclosure-information-disclosure-security-vulnerabilities/

http://www.tetraph.com/blog/information-leakage-vulnerability/cve-2015-2214-netcat-cms-full-path-disclosure-information-disclosure-web-security-vulnerabilities/

http://essayjeans.blog.163.com/blog/static/2371730742015411113047382/

http://www.weibo.com/1644370627/ChjMoA9hD?type=comment#_rnd1431315096193

http://homehut.lofter.com/post/1d226c81_6eae13a

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

12 Thursday Mar 2015

Posted by in 0day, CVE, SQL Injection

Leave a comment

Tags

, , , , , , , , , , , , , , , , , ,

Computer-VUlnerability-650x465

 

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

Exploit Title: CVE-2015-2066 DLGuard /index.php c parameter SQL Injection Web Security Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v4.5

Tested Version: v4.5

Advisory Publication: February 18, 2015

Latest Update: May 01, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2066

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Wang Jing  [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)






Caution Details:

(1) Vendor & Product Description:

Vendor:

DLGuard

Product & Version:

DLGuard

v4.5

Vendor URL & Download:

DLGuard can be downloaded from here,

http://www.dlguard.com/dlginfo/index.php

Product Introduction Overview:

“DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don’t have the time for.”

“DLGuard supports the three types, or methods, of sale on the internet:

<1>Single item sales (including bonus products!)

<2>Multiple item sales

<3>Membership websites”

“DLGuard is fully integrated with: PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, Click2Sell, Mal’s E-Commerce, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro, and even tracks your free product downloads. The DLGuard built-in Shopping Cart offers Paypal, Authorize.net, and 2Checkout payment options. The Membership areas allow Paypal, Clickbank, 2Checkout, and LinkPoint recurring billing as well as linking to any PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, E-Bullion, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro single sale and free products so that people who buy your products can access your members area. DLGuard is the perfect solution to secure your single sale item, such as a niche marketing website, software sales, ebook sales, and more! DLGuard not only protects your download page, but it makes setting up new products, or making changes to existing products so much quicker and easier than before.”


(2) Vulnerability Details:

DLGuard web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. DLguard has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to important vulnerabilities.

(2.1) The bug programming flaw vulnerability occurs at “&c” parameter in “index.php?” page.

 
 
 

References:

http://seclists.org/fulldisclosure/2015/Feb/69

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01703.html

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1607

http://lists.openwall.net/full-disclosure/2015/02/18/6

http://marc.info/?a=139222176300014&r=1&w=4

http://www.tetraph.com/blog/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://www.inzeed.com/kaleidoscope/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

https://plus.google.com/u/0/107140622279666498863/posts/44pDNaZao8v

https://inzeed.wordpress.com/2015/05/10/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://shellmantis.tumblr.com/post/118658089031/inzeed-cve-2015-2066-dlguard-sql-injection#notes

http://tetraphlike.lofter.com/post/1cf5a072_6ea70f7

http://russiapost.blogspot.ru/2015/05/cve-2015-2066-dlguard-sql-injection-web.html21

https://www.facebook.com/computersecurities/posts/375386899314769

http://blog.163.com/greensun_2006/blog/static/11122112201541193421290/

https://twitter.com/tetraphibious/status/597577800023838720

http://www.weibo.com/3973471553/Chj5OFIPk?from=page_1005053973471553_profile&wvr=6&mod=weibotime&type=comment#_rnd1431308778074

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

31 Wednesday Dec 2014

Posted by in Hacker Tech, Open Redirect, XSS

Leave a comment

Tags

, , , , , , , , , , , , , , , , ,

new-type-of-phishing-attack-goes-after-your-browser-tabs-86b683f537

 

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

 

Domain:
http://cnn.com

 

“The Cable News Network (CNN) is an American basic cable and satellite television channel that is owned by the Turner Broadcasting System division of Time Warner. The 24-hour cable news channel was founded in 1980 by American media proprietor Ted Turner. Upon its launch, CNN was the first television channel to provide 24-hour news coverage, and was the first all-news television channel in the United States. While the news channel has numerous affiliates, CNN primarily broadcasts from the Time Warner Center in New York City, and studios in Washington, D.C. and Los Angeles, its headquarters at the CNN Center in Atlanta is only used for weekend programming. CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories. As of February 2015, CNN is available to approximately 96,289,000 cable, satellite and, telco television households (82.7% of households with at least one television set) in the United States.” (Wikipedia)

 

Discovered and Reported by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

Vulnerability Description:
CNN has a cyber security bug problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect (Unvalidated Redirects and Forwards) attacks.

 

Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities.

 

According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

 

After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN’s website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

 

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007.

 

 

<1> “The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.”

 

cnn_open_redirect_complain_meitu_1

Figure from ehackingnews.com

 

At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.

 

 

(1) CNN (cnn.com) Travel-City Related Links XSS (cross site scripting) Web Security Bugs

 

Domain:
travel.cnn.com/

 

Vulnerability Description:
The programming bug flaws occur at “/city/all” pages. All links under this URL are vulnerable to XSS attacks, e.g

 

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

  • Identity theft
  • Accessing sensitive or restricted information
  • Gaining free access to otherwise paid for content
  • Spying on user’s web browsing habits
  • Altering browser functionality
  • Public defamation of an individual or corporation
  • Web application defacement
  • Denial of Service attacks

 

The code programming flaw can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.

 

cnn_travel_xss

 

PoC:

http://travel.cnn.com/city/all/all/tokyo/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

http://travel.cnn.com/city/all/all/bangkok/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

 

 

(2) CNN cnn.com ADS Open Redirect Web Security Bug

 

Domain:
ads.cnn.com

 

Vulnerability Description:
The programming code flaw occurs at “event.ng” page with “&Redirect” parameter, i.e.

 

From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

(2.1) Use the following tests to illustrate the scenario painted above.

 

The redirected webpage address is “http://webcabinet.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

 

POC:

 

Since CNN is well-known worldwide, this vulnerability can be used to do “Covert Redirect” attacks to other websites.

 

Those vulnerabilities were reported to CNN in early July by Contact from Here. But they are still not been patched yet.
http://edition.cnn.com/feedback/#cnn_FBKCNN_com

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Dec/128
http://lists.openwall.net/full-disclosure/2014/12/29/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1395
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://securitypost.tumblr.com/post/107868680057/ithut-cnn-cnn-com-travel
http://ittechnology.lofter.com/post/1cfbf60d_5500df0
http://ithut.tumblr.com/post/120833062743/cnn-xss-url-redirection-bug
http://www.tetraph.com/blog/it-news/cnn-xss-url-redirect-bug/
https://biyiniao.wordpress.com/2015/01/08/cnn-xss-open-redirect-bug/
http://whitehatpost.blog.163.com/blog/static/24223205420155613753998/
https://plus.google.com/u/0/+wangfeiblackcookie/posts/bFkukxiUfXK
https://www.facebook.com/permalink.php?story_fbid=674936469318135
http://tetraph.blogspot.com/2015/06/cnn-xss-redirect-bug.html
http://diebiyi.com/articles/news/cnn-xss-url-redirect-bug/
https://twitter.com/yangziyou/status/607060937309159425
https://redysnowfox.wordpress.com/2014/12/31/cnn-xss-url-redirect-bug/
https://www.facebook.com/permalink.php?story_fbid=1043534509019886
http://whitehatpost.lofter.com/post/1cc773c8_7338196
http://securityrelated.blogspot.com/2014/12/cnn-cnncom-travel-xss-and

CVE-2014-7294 NYU Opensso Integration Open Redirect Security Vulnerability

24 Wednesday Dec 2014

Posted by in IT Security

Leave a comment

Tags

, , , , , , , , , , , , , , , , , , , , ,

computer-bug
Exploit Title: NYU Opensso Integration Logon Page url Parameter Open Redirect
Product: Opensso Integration
Vendor:NYU
Vulnerable Versions: 2.1 and probability prior
Tested Version: 2.1
Advisory Publication: DEC 29, 2014
Latest Update: DEC 29, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-7294
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

http://tetraph.blogspot.com/2015/02/cve-2014-7294-nyu-opensso-integration.html

CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

11 Thursday Dec 2014

Posted by in IT Security

Leave a comment

Tags

, , , , , , , , , , , , , , , , , , , , ,

cyber-defences-security
Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a  1.0b1  1.0b2
Tested Version: 0.5.2a  1.0b1  1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]

76.3% WEATHER CHANNEL WEBSITE LINKS VULNERABLE TO REFLECTED CROSS-SITE SCRIPTING (XSS)

09 Tuesday Dec 2014

Posted by in IT News, IT Security, Web Technology

Leave a comment

Tags

, , , , , , , , , , , ,

binary_wireless_car_internet_street_speed_thinkstock-100438009-primary.idge
 

Popular Weather Channel web site (Weather.com) has been found to be vulnerable to a reflected Cross-Site Scripting flaw, according to security researcher Wang Jing’s research. The vulnerability lies in that Weather.com does not filter malicious script codes when constructing HTML tags with its URLs. This way, an attacker just adds a malicious script at the end of the URL and executes it.

“If The Weather Channel’s users were exploited, their Identity may be stolen,” Jing said via email. “At the same time, attackers may use the vulnerability to spy users’ habits, access sensitive information, alter browser functionality, perform denial of service attacks, etc.”

Wang Jing is a Ph.D student from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He found that at list 76.3% of Weather Channel website links were vulnerable to XSS attacks. Attackers just need to add scripts at end of Weather Channel’s URLs. Then the scripts will be executed.

 

 

Related News:

http://www.scmagazine.com/the-weather-channels-website-found-vulnerable-to-xss-attacks/article/386010/

http://www.hotforsecurity.com/blog/weather-channel-web-site-vulnerable-to-reflected-cross-site-scripting-xss-10906.html

http://www.computerworld.com/article/2852502/weathercom-fixes-web-app-flaws.html

http://seclists.org/fulldisclosure/2014/Nov/89

http://packetstormsecurity.com/files/129288/weatherchannel-xss.txt

http://webcabinet.tumblr.com/post/116076287997/whitehatview-the-weather-channel-fixes-web-app

http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-weather-com-almost-all-links-vulnerable-to-xss-attacks/

http://www.securitylab.ru/news/462524.php

http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8

http://www.tetraph.com/blog/it-news/weather-channel-xss/

https://www.facebook.com/websecuritiesnews/posts/699866823466824

https://itswift.wordpress.com/2014/12/01/76-3-weather-channel-xss-attacks/

https://www.secnews.gr/weather-channel-xss

 

Articles of New York Times Before 2013 May Vulnerable to XSS Attacks

21 Friday Nov 2014

Posted by in Computer Technology, Web Application, XSS

Leave a comment

Tags

, , , , , , , , , , ,

iPhone-iOS-Hacking-Masque

 

New York Times articles’ pages dated before 2013 may suffer from an XSS (Cross-site Scripting) vulnerability, according to the report posted by security researcher Wang Jing. Wang is a mathematics Ph.D student from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He published his discovery in well-known security mail list Full Disclosure.

 

According to Wang, all pages before 2013 that contain buttons such as “PRINT”,”SINGLE PAGE”, “Page” and “NEXT PAGE” are affected by the XSS vulnerability. Meanwhile, the researcher also published a proof of concept video to prove the existence of the XSS flaw.

 

As of yet, there are no known cases of criminals exploiting the Times’ XSS issue in order to attack users. However, according to Wang, the threat is possible, and the New York Times has a big enough audience that an XSS attack, even via its older articles, could still affect a broad number of users. The affected New York Times articles are still indexed in Google search engines, and are still frequently hyperlinked in other articles.

 

However according to the researcher, New York Times has now a much safer mechanism, implemented sometime in 2013, that sanitizes all URLs sent to its server.

 

Cross-site scripting (XSS) vulnerabilities usually reside in web applications and can be used by attackers to modify the normal flow of the web page. A cybercriminal can use it easily to perform URL redirect, mine for victim’s browser details, session hijacking, phishing, or even steal cookies.

 

XSS issues are not entirely uncommon. So far we have seen that Google, Amazon, Microsoft, Yahoo and Facebook all had this kind issue reported.

 

 

Related News: