计算机网络技术

Web News, Technology, Science, etc

网络技术是从1990年代中期发展起来的新技术,它把互联网上分散的资源融为有机整体,实现资源的全面共享和有机协作,使人们能够透明地使用资源的整体能力并按需获取信息。

日常生活點滴的記錄:

IT 计算机信息网络安全技术:

白帽子计算机安全:

PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug


Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security Vulnerability

Product: PhotoPost PHP

Vendor: PhotoPost

Vulnerable Versions: 4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3

Tested Version: 4.8c  vB3

Advisory Publication: July 25, 2015

Latest Update: July 28, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)




Caution Details:


(1) Vendor & Product Description:


Vendor:

PhotoPost


Product & Vulnerable Versions:

PhotoPost PHP

4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3


Vendor URL & Download:

Product can be obtained from here,

http://www.photopost.com/featuresphp.html


Product Introduction Overview:

"Your search to find the best photo gallery has led you to the most feature rich, best performing, and most widely used gallery available today. PhotoPost is the best way to offer your users the ability to upload, show off, share, discuss, and rate photos and videos on your site. We originally created PhotoPost in 2001 for TechIMO.com, our parent company's own tech discussion website with 2 Million forum posts and 200,000 users, and within weeks we were inundated with requests, so we decided to develop it into a product. Over the past 8 years, PhotoPost has undergone more than 100 "dot" updates by a team of expert developers to add features, tweak performance, and maximize stability. Always in high demand, PhotoPost has been purchased by a staggering 14,500 websites. PhotoPost is most popular amongst vBulletin forum owners. That's because we designed PhotoPost from the beginning to integrate efficiently with a website's existing vBulletin forum, offering users one integrated login and registration instead of two, stylesheet integration, and other enhancements. But what PhotoPost does well for vBulletin owners, it does equally well for those that wish to integrate a gallery with many other forum types, or to simply add a photo gallery to their website with no forum at all. "




(2) Vulnerability Details:

PhotoPost PHP web application has a computer security problem. Hackers can exploit it by XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. PhotoPost PHP has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.


(2.1) The code flaw occurs at "|utmcct" parameter in "__utmz" Cookie.


For example, if a victim clicks the link below.

http://localhost/gallery/showphoto.php/photo/846/sort/'"><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)>


The content of "__utmz" cookie will be the following:

__utma194200300.1295483682.1438243020.1438243020.1438245659.2

__utmc194200300

__utmz194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com|utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral

__qcaP0-814178849-1438243024810

__utmb194200300

bbsessionhash1683dd3bd3edffbd8383db382f025eba

bblastvisit1438246612


So the malicious code can work in the user's browser for long time.


(2.2) Forum Integrations

"PhotoPost can optionally integrate as an add-on to an existing forum on your site, and we do this extremely well. PhotoPost is a perfect fit with a forum, because sharing and discussing photos within PhotoPost comes naturally for a forum community.


With our forum integration, your users will use their existing forum account to login to PhotoPost, without needing to register again and maintain a separate account. Additionally, we offer stylesheet integrations with several forums to easily setup your PhotoPost gallery to match your forum's look and feel, and with vBulletin 3.x we offer several additional enhancements."


Forum SoftwareUser LoginStylesheetsEnhanced*

vBulletin 5.x

vBulletin 4.x

vBulletin 3.x

Xenforo 1.x

UBBThreads 6.X

UBBThreads 7.X

InvisionBoard 1.0

InvisionBoard 2.0

InvisionBoard 3.0

FusionBB

MyBB 1.0

SMF 1.05 and up

SMF 2.0 and up

WowBB

e107

PHPBB 2.0

PHPBB 3.0

Wordpress 3.x

vBulletin 2.x

DCForums +

IkonBoard

Nuke

PostNuke

Mambo

XMB Forums


(Src: http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php)





References:
http://tetraph.com/security/xss-vulnerability/photopost-php/

http://computerobsess.blogspot.com/2015/07/photopost-php-48c-cookie
http://marc.info/?l=full-disclosure&m=143841053704734&w=4

http://lists.openwall.net/full-disclosure/2015/08/01/1
 
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2300
 
https://hackertopic.wordpress.com/2015/07/30/photopost-xss/
http://seclists.org/fulldisclosure/2015/Aug/0
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://en.hackdig.com/08/26974.htm
http://ithut.tumblr.com/post/125743980368/securitypost-photopost-php-48c-cookie-based
http://whitehatpost.blog.163.com/blog/static/24223205420157341741249/

   

日常生活點滴的記錄:

IT 计算机信息网络安全技术:

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks



(1) Domain Description:
http://www.indiatimes.com



"The Times of India (TOI) is an Indian English-language daily newspaper. It is the third-largest newspaper in India by circulation and largest selling English-language daily in the world according to Audit Bureau of Circulations (India). According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership. It is owned and published by Bennett, Coleman & Co. Ltd. which is owned by the Sahu Jain family. In the Brand Trust Report 2012, Times of India was ranked 88th among India's most trusted brands and subsequently, according to the Brand Trust Report 2013, Times of India was ranked 100th among India's most trusted brands. In 2014 however, Times of India was ranked 174th among India's most trusted brands according to the Brand Trust Report 2014, a study conducted by Trust Research Advisory." (en.Wikipedia.org)




(2) Vulnerability description:
The web application indiatimes.com online website has a security problem. Hacker can exploit it by XSS bugs.


The code flaw occurs at Indiatimes's URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes's "photogallery" and "top-llists" topics are affected. 


Indiatimes uses part of the links under "photogallery" and "top-llists" topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.


The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (12.04) and Microsoft IE (9.0.15) in Windows 7.




Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/





Related Articles:
http://seclists.org/fulldisclosure/2014/Nov/91

http://germancast.blogspot.de/2015/06/all-links-in-two-diatimes.html

https://vulnerabilitypost.wordpress.com/2014/12/04/indiatimes-xss

http://whitehatview.tumblr.com/post/104310651681/times-of-india-website

http://www.tetraph.com/blog/computer-security/all-links-in-two-topics-xss

http://tetraph.blog.163.com/blog/static/234603051201501352218524/

http://www.techworm.net/2014/12/times-india-website-vulnerable-xss

https://cxsecurity.com/issue/WLB-2014120004

http://itprompt.blogspot.com/2014/12/times-of-india-to.html