计算机网络技术

Web News, Technology, Science, etc

网络技术是从1990年代中期发展起来的新技术,它把互联网上分散的资源融为有机整体,实现资源的全面共享和有机协作,使人们能够透明地使用资源的整体能力并按需获取信息。

白帽子计算机安全:

IT 计算机信息网络安全技术:

Daily Mail Online Website XSS Cyber Security Zero-Day Vulnerability



Website Description:
“The Daily Mail is a British daily middle-market tabloid newspaper owned by the Daily Mail and General Trust. First published in 1896 by Lord Northcliffe, it is the United Kingdom’s second biggest-selling daily newspaper after The Sun. Its sister paper The Mail on Sunday was launched in 1982. Scottish and Irish editions of the daily paper were launched in 1947 and 2006 respectively. The Daily Mail was Britain’s first daily newspaper aimed at the newly-literate “lower-middle class market resulting from mass education, combining a low retail price with plenty of competitions, prizes and promotional gimmicks”, and was the first British paper to sell a million copies a day. It was at the outset a newspaper for women, the first to provide features especially for them, and as of the second-half of 2013 had a 54.77% female readership, the only British newspaper whose female readers constitute more than 50% of its demographic. It had an average daily circulation of 1,708,006 copies in March 2014. Between July and December 2013 it had an average daily readership of approximately 3.951 million, of whom approximately 2.503 million were in the ABC1 demographic and 1.448 million in the C2DE demographic. Its website has more than 100 million unique visitors per month.” (Wikipedia)

 

Domain Name:
http://www.dailymail.co.uk/

The Alexa rank of it is 93 on January 01 2015. It is one of the most popular websites in the United Kingdom.

 


 

(1) Vulnerability description:

Daily Mail has a security problem. Criminals can exploit it by XSS attacks.

The vulnerability occurs at “reportAbuseInComment.html?” page with “&commentId” parameter, i.e.
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038

 

 

POC Code:
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=”><img
src=x onerror=prompt(‘justqdjing’)>

The vulnerability can be attacked without user log in. Tests were performed on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.

 

Poc Video:
https://www.youtube.com/watch?v=Oig-ZrlJDf8&feature=youtu.be

 

Blog Detail:
http://tetraph.com/security/web-security/daily-mail-xss-bug/
http://securityrelated.blogspot.com/2015/10/daily-mail-online-website-xss-cyber.html
https://vulnerabilitypost.wordpress.com/2015/10/30/daily-mail-xss/

 

 


(2) What is XSS?
“Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.” (Wikipedia)

 

 

 

(3) Vulnerability Disclosure:
This vulnerability has been patched.

 

 

 

Discoved and Disclosured By:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

 

Reference:
https://packetstormsecurity.com/files/134189/Daily-Mail-Unvalidated-Redirec
http://news.softpedia.com/news/the-telegraph-and-daily-mail-fix-xss
https://www.secnews.gr/dailymail_open_redirect_bug
http://whitehatview.tumblr.com/post/132726489926/daily-mail-xss
http://sys-secure.es/daily-mail-registration-page-unvalidated
http://itsecuritynews.info/tag/jing-wang/
http://itsecurity.lofter.com/post/1cfbf9e7_8d45d6b
http://computerobsess.blogspot.com/2015/11/daily-mail-xss.html
https://computertechhut.wordpress.com/2015/11/04/daily-mail-xss/
http://marc.info/?l=full-disclosure&m=144651836427184&w=4


日常生活點滴的記錄:

IT 计算机信息网络安全技术:

TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber Attacks


Website Description:
http://www.telegraph.co.uk


"The Daily Telegraph is a British daily morning English-language broadsheet newspaper, published in London by Telegraph Media Group and distributed throughout the United Kingdom and internationally. The newspaper was founded by Arthur B. Sleigh in June 1855 as The Daily Telegraph and Courier, and since 2004 has been owned by David and Frederick Barclay. It had a daily circulation of 523,048 in March 2014, down from 552,065 in early 2013. In comparison, The Times had an average daily circulation of 400,060, down to 394,448. The Daily Telegraph has a sister paper, The Sunday Telegraph, that was started in 1961, which had circulation of 418,670 as of March 2014. The two printed papers currently are run separately with different editorial staff, but there is cross-usage of stories. News articles published in either, plus online Telegraph articles, may also be published on the Telegraph Media Group's www.telegraph.co.uk website, all under The Telegraph title." (From Wikipedia)



(1) Vulnerability Description:
Telegraph has a Web security bug problem. It is vulnerable to XSS attacks. In fact, all its photo pages are vulnerable to XSS (Cross-Site Scripting) vulnerabilities. Telegraph's picture pages use "&frame" as its parameter. All its web pages use "&frame" are vulnerable to the bugs. Those vulnerabilities have been patched now.



Examples of Vulnerable Links:
http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095

http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162

http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280

http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790

http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278



POC Code:
http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095"><img src=x onerror=prompt('justqdjing')>

http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162"><img src=x onerror=prompt('justqdjing')>

http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280"><img src=x onerror=prompt('justqdjing')>

http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790"><img src=x onerror=prompt('justqdjing')>

http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278"><img src=x onerror=prompt('justqdjing')>

The vulnerability can be attacked without user login. Tests were performed on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The bugs found by using CSXDS.



   


(2) XSS Description:
The description of XSS is: "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." (OWSAP)


Poc Video:
https://www.youtube.com/watch?v=SqjlabJ1OzA&feature=youtu.be


Blog Details:
http://www.tetraph.com/security/website-test/telegraph-xss/
http://securityrelated.blogspot.com/2015/10/telegraph-xss-0day.html
https://vulnerabilitypost.wordpress.com/2015/10/30/telegraph-bug/



(3) Vulnerability Disclosure:
Those vulnerabilities are patched now.


Discoved and Disclosured By:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing




References:
http://lists.openwall.net/full-disclosure/2015/11/03/7
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2642
http://russiapost.blogspot.com/2015/11/telegraph-xss.html
https://itinfotechnology.wordpress.com/2015/11/01/telegraph-xss/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02682.html
https://cxsecurity.com/issue/WLB-2015110023
http://marc.info/?l=full-disclosure&m=144651821527165&w=4
http://germancast.blogspot.com/2015/11/telegraph-xss.html
http://itsecurity.lofter.com/post/1cfbf9e7_8d3ea9e
http://whitehatview.tumblr.com/post/132723700196/telegraph-xss
https://itswift.wordpress.com/2015/11/02/telegraph-xss/
http://seclists.org/fulldisclosure/2015/Nov/4



 

日常生活點滴的記錄:

IT 计算机信息网络安全技术:

白帽子计算机安全:

PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug


Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security Vulnerability

Product: PhotoPost PHP

Vendor: PhotoPost

Vulnerable Versions: 4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3

Tested Version: 4.8c  vB3

Advisory Publication: July 25, 2015

Latest Update: July 28, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)




Caution Details:


(1) Vendor & Product Description:


Vendor:

PhotoPost


Product & Vulnerable Versions:

PhotoPost PHP

4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3


Vendor URL & Download:

Product can be obtained from here,

http://www.photopost.com/featuresphp.html


Product Introduction Overview:

"Your search to find the best photo gallery has led you to the most feature rich, best performing, and most widely used gallery available today. PhotoPost is the best way to offer your users the ability to upload, show off, share, discuss, and rate photos and videos on your site. We originally created PhotoPost in 2001 for TechIMO.com, our parent company's own tech discussion website with 2 Million forum posts and 200,000 users, and within weeks we were inundated with requests, so we decided to develop it into a product. Over the past 8 years, PhotoPost has undergone more than 100 "dot" updates by a team of expert developers to add features, tweak performance, and maximize stability. Always in high demand, PhotoPost has been purchased by a staggering 14,500 websites. PhotoPost is most popular amongst vBulletin forum owners. That's because we designed PhotoPost from the beginning to integrate efficiently with a website's existing vBulletin forum, offering users one integrated login and registration instead of two, stylesheet integration, and other enhancements. But what PhotoPost does well for vBulletin owners, it does equally well for those that wish to integrate a gallery with many other forum types, or to simply add a photo gallery to their website with no forum at all. "




(2) Vulnerability Details:

PhotoPost PHP web application has a computer security problem. Hackers can exploit it by XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. PhotoPost PHP has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.


(2.1) The code flaw occurs at "|utmcct" parameter in "__utmz" Cookie.


For example, if a victim clicks the link below.

http://localhost/gallery/showphoto.php/photo/846/sort/'"><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)>


The content of "__utmz" cookie will be the following:

__utma194200300.1295483682.1438243020.1438243020.1438245659.2

__utmc194200300

__utmz194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com|utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral

__qcaP0-814178849-1438243024810

__utmb194200300

bbsessionhash1683dd3bd3edffbd8383db382f025eba

bblastvisit1438246612


So the malicious code can work in the user's browser for long time.


(2.2) Forum Integrations

"PhotoPost can optionally integrate as an add-on to an existing forum on your site, and we do this extremely well. PhotoPost is a perfect fit with a forum, because sharing and discussing photos within PhotoPost comes naturally for a forum community.


With our forum integration, your users will use their existing forum account to login to PhotoPost, without needing to register again and maintain a separate account. Additionally, we offer stylesheet integrations with several forums to easily setup your PhotoPost gallery to match your forum's look and feel, and with vBulletin 3.x we offer several additional enhancements."


Forum SoftwareUser LoginStylesheetsEnhanced*

vBulletin 5.x

vBulletin 4.x

vBulletin 3.x

Xenforo 1.x

UBBThreads 6.X

UBBThreads 7.X

InvisionBoard 1.0

InvisionBoard 2.0

InvisionBoard 3.0

FusionBB

MyBB 1.0

SMF 1.05 and up

SMF 2.0 and up

WowBB

e107

PHPBB 2.0

PHPBB 3.0

Wordpress 3.x

vBulletin 2.x

DCForums +

IkonBoard

Nuke

PostNuke

Mambo

XMB Forums


(Src: http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php)





References:
http://tetraph.com/security/xss-vulnerability/photopost-php/

http://computerobsess.blogspot.com/2015/07/photopost-php-48c-cookie
http://marc.info/?l=full-disclosure&m=143841053704734&w=4

http://lists.openwall.net/full-disclosure/2015/08/01/1
 
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2300
 
https://hackertopic.wordpress.com/2015/07/30/photopost-xss/
http://seclists.org/fulldisclosure/2015/Aug/0
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://en.hackdig.com/08/26974.htm
http://ithut.tumblr.com/post/125743980368/securitypost-photopost-php-48c-cookie-based
http://whitehatpost.blog.163.com/blog/static/24223205420157341741249/

   

日常生活點滴的記錄:

IT 计算机信息网络安全技术:

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks



(1) Domain Description:
http://www.indiatimes.com



"The Times of India (TOI) is an Indian English-language daily newspaper. It is the third-largest newspaper in India by circulation and largest selling English-language daily in the world according to Audit Bureau of Circulations (India). According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership. It is owned and published by Bennett, Coleman & Co. Ltd. which is owned by the Sahu Jain family. In the Brand Trust Report 2012, Times of India was ranked 88th among India's most trusted brands and subsequently, according to the Brand Trust Report 2013, Times of India was ranked 100th among India's most trusted brands. In 2014 however, Times of India was ranked 174th among India's most trusted brands according to the Brand Trust Report 2014, a study conducted by Trust Research Advisory." (en.Wikipedia.org)




(2) Vulnerability description:
The web application indiatimes.com online website has a security problem. Hacker can exploit it by XSS bugs.


The code flaw occurs at Indiatimes's URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes's "photogallery" and "top-llists" topics are affected. 


Indiatimes uses part of the links under "photogallery" and "top-llists" topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.


The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (12.04) and Microsoft IE (9.0.15) in Windows 7.




Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/





Related Articles:
http://seclists.org/fulldisclosure/2014/Nov/91

http://germancast.blogspot.de/2015/06/all-links-in-two-diatimes.html

https://vulnerabilitypost.wordpress.com/2014/12/04/indiatimes-xss

http://whitehatview.tumblr.com/post/104310651681/times-of-india-website

http://www.tetraph.com/blog/computer-security/all-links-in-two-topics-xss

http://tetraph.blog.163.com/blog/static/234603051201501352218524/

http://www.techworm.net/2014/12/times-india-website-vulnerable-xss

https://cxsecurity.com/issue/WLB-2014120004

http://itprompt.blogspot.com/2014/12/times-of-india-to.html

 

CVE-2014-8753  Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities


Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)




Instruction Details:

(1) Vendor & Product Description:

Vendor:

Cit-e-Net


Product & Version: 

Cit-e-Access

Version 6


Vendor URL & Download: 

Cit-e-Net can be downloaded from here,
https://www.cit-e.net/citeadmin/help/cntrainingmanualhowto.pdf
http://demo.cit-e.net/
http://www.cit-e.net/demorequest.cfm
http://demo.cit-e.net/Cit-e-Access/ServReq/?TID=1&TPID=17


Product Introduction:

"We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.


Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It's your choice! Please contact us at info@cit-e.net to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services. 


Interactive Applications

Online Service Requests

Online Tax Payments by ACH electronic-check or credit card.

Online Utility Payments by  ACH electronic-check or credit card.

Online General-Payments by ACH electronic-check or credit card.

Submit Volunteer Resume's Online for the municipality to match your skills with available openings."




(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities and cyber intelligence.


(2.1) The first programming code flaw occurs at "/eventscalendar/index.cfm?" page with "&DID" parameter in HTTP GET.

(2.2) The second programming code flaw occurs at "/search/index.cfm?" page with "&keyword" parameter in HTTP POST.

(2.3) The third programming code flaw occurs at "/news/index.cfm" page with "&jump2" "&DID" parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at "eventscalendar?" page with "&TPID" parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at "/meetings/index.cfm?" page with "&DID" parameter in HTTP GET.





(3) Solutions:

Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm





References:
http://seclists.org/fulldisclosure/2015/Feb/48
http://marc.info/?l=full-disclosure&m=142380271819297&w=4
https://packetstormsecurity.com/files/130392/Cit-e-Net-6
https://hackertopic.wordpress.com/2015/06/06/cve-2014-8753
https://www.facebook.com/permalink.php?story_fbid=746137642163648
http://mathswift.blogspot.com/2015/06/cve-2014-8753.html
http://inzeed.tumblr.com/post/120907933886/securitypost-cve-2014-8753
https://plus.google.com/u/0/100242269120759811496/posts/M5W1kShGpKr
https://twitter.com/essayjeans/status/607391837213458432
http://ittechnology.lofter.com/post/1cfbf60d_735a4d0
http://www.weibo.com/5099722551/Clqtl3zWs?from=page_1005055099722551
http://blog.163.com/greensun_2006/blog/static/11122112201557115414537/
http://japanbroad.blogspot.jp/2015/06/cve-2014-8753-cit-e-net
https://www.facebook.com/permalink.php?story_fbid=43609503322
http://whitehatpost.lofter.com/post/1cc773c8_73568f4
https://dailymem.wordpress.com/2015/06/06/cve-2014-8753
http://itinfotech.tumblr.com/post/120907872116/securitypost-cve-2014-8753
https://progressive-comp.com/?l=full-disclosure&m=142380271819297&w=1
http://www.tetraph.com/blog/xss-vulnerability/cve-2014-8753



数学日记:

IT 计算机信息网络安全技术:

About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Web Security Vulnerabilities


Vulnerability Description:
About.com all “topic sites” are vulnerable to XSS (Cross-Site Scripting) and Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some about.com main pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to XSS and Iframe Injection attacks. In fact, for about.com’s structure, the main domain is something just like a cover. So, very few links belong to them.

Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.

For the Iframe Injection vulnerability. They can be used to do DDOS (Distributed Denial-of-Service Attack) to other websites, too.
Here is one example of DDOS based on Iframe Injection attacks of others.
http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

In the last, some “Open Redirect” vulnerabilities related to about.com are introduced. There may be large number of other Open Redirect Vulnerabilities not detected. Since About.com are trusted by some the other websites. Those vulnerabilities can be used to do “Covert Redirect” to these websites.



Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.



Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@Justqdjing)
http://www.tetraph.com/wangjing



(1) Some Basic Background

(1.1) Domain Description:
http://www.about.com/
http://www.alexa.com/siteinfo/about.com

“For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month.” (The New York Times)

“About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its "topic sites,” of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation, and, for March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month. As of August 2012, About.com is the property of IAC, owner of Ask.com and numerous other online brands, and its revenue is generated by advertising.“ (Wikipedia)

"As of May 2013, About.com was receiving about 84 million unique monthly visitors.” (TechCrunch. AOL Inc.)

“According to About’s online media kit, nearly 1,000 "Experts” (freelance writers) contribute to the site by writing on various topics, including healthcare and travel.“ (About.com)



(1.2) Topics Related to About.com

"The Revolutionary About.com Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information.” (azlist.about.com)

About.com - Sites A to Z

Number of Topics

A: 66

B: 61

C: 118

D: 49

E: 33

F: 57

G: 39

H: 48

I: 32

J: 15

K: 13

L: 36

M: 70

N: 26

O: 23

P: 91

Q: 4

R: 32

S: 104

T: 47

U: 12

V: 9

W: 43

X: 1

Y: 4

Z: 1

SUM: 1039

Reference: azlist.about.com/

In fact, those are not all topics of about.com. Some of the topics are not listed here such as,
http://specialchildren.about.com

So, there are more than 1000 topics related to about.com.



(1.3) Result of Exploiting XSS Attacks

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results:

   "Identity theft

   Accessing sensitive or restricted information

   Gaining free access to otherwise paid for content

   Spying on user’s web browsing habits

   Altering browser functionality

   Public defamation of an individual or corporation

   Web application defacement

   Denial of Service attacks (DOS)

“ (Acunetix)

… …




More:
http://seclists.org/fulldisclosure/2015/Feb/9





Related Articles:
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1547
http://marc.info/?l=full-disclosure&m=142289980219878&w=4
https://packetstormsecurity.com/files/130211/About.com-Cross-Site-Scripting.html
http://computerobsess.blogspot.com/2015/06/about-group-aboutcom-all-topics-at.html
https://www.facebook.com/computersecurities/posts/384674738385985
http://www.weibo.com/1644370627/Clk7CaKvL?from=page_1005051644370627
http://guyuzui.lofter.com/post/1ccdcda4_6f03224
https://twitter.com/yangziyou/status/607145647037284352
http://webtechhut.blogspot.com/2015/06/about-group-aboutcom-all-topics-at.html
https://computertechhut.wordpress.com/2015/02/02/about-group-about-com-
http://inzeed.tumblr.com/post/118845379331/securitypost-about-group-99-88-xss
https://www.facebook.com/permalink.php?story_fbid=1043670099006327
https://dailymem.wordpress.com/2015/02/11/about-group
http://mathdaily.lofter.com/post/1cc75b20_7340000
http://xingti.tumblr.com/post/120847740060/itinfotech-about-group-xss-xfs
http://diebiyi.com/articles/security/xss-vulnerability/about-group-xss-xrf-open-redirect/
http://www.tetraph.com/blog/xss-vulnerability/about-group-xss-xrf-open-redirect/


   

测试想法:

IT 计算机&信息网络 技术:

白帽子计算机安全:

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities


Domain:
cnn.com


"The Cable News Network (CNN) is an American basic cable and satellite television channel that is owned by the Turner Broadcasting System division of Time Warner. The 24-hour cable news channel was founded in 1980 by American media proprietor Ted Turner. Upon its launch, CNN was the first television channel to provide 24-hour news coverage, and was the first all-news television channel in the United States. While the news channel has numerous affiliates, CNN primarily broadcasts from the Time Warner Center in New York City, and studios in Washington, D.C. and Los Angeles, its headquarters at the CNN Center in Atlanta is only used for weekend programming. CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories. As of February 2015, CNN is available to approximately 96,289,000 cable, satellite and, telco television households (82.7% of households with at least one television set) in the United States." (Wikipedia)


Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.  (@justqdjing)
http://www.tetraph.com/wangjing/



Vulnerability Description:
CNN has a cyber security bug problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect (Unvalidated Redirects and Forwards) attacks.

Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities.

According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN's website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007.



<1> There are some tweets complaining about hacked with links from CNN.

At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.


Yahoo Open Redirects Vulnerabilities:
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html





<2> CNN.com XSS hacked
http://seclists.org/fulldisclosure/2007/Aug/216


Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.



Detail:
http://seclists.org/fulldisclosure/2014/Dec/128




Related Articles:
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01507.html
https://packetstormsecurity.com/files/129754/cnn-xssredirect.txt
http://cxsecurity.com/issue/WLB-2014120196
https://progressive-comp.com/?l=full-disclosure&m=141988778706126&w=1
https://itinfotechnology.wordpress.com/2015/01/01/cnn-travel-cn
http://russiapost.blogspot.com/2015/06/cnn-travelcnncom-xss
https://www.facebook.com/permalink.php?story_fbid=745810602196352
http://www.weibo.com/5337321538/Clij19Krr?from=page_1005055337321538
https://plus.google.com/u/0/112682696109623633489/posts/TyipiFnULRj
http://webcabinet.tumblr.com/post/116075198227/ithut-cnn-cnn
http://mathdaily.lofter.com/post/1cc75b20_4f0a751
https://twitter.com/tetraphibious/status/607085555776561152
http://qianqiuxue.tumblr.com/post/120838173915/ithut-cnn-xss-url-redirection-bug
http://itprompt.blogspot.com/2015/06/cnn-travelcnncom-xss
https://www.facebook.com/permalink.php?story_fbid=891722397533572
http://tetraph.com/security/xss-vulnerability/cnn-xss-url-redirect-bug/
http://ittechnology.lofter.com/post/1cfbf60d_7338770
https://hackertopic.wordpress.com/2015/01/04/cnn-travel-cnn
http://www.inzeed.com/kaleidoscope/xss-vulnerability/cnn-xss-url-redirect-bug/



Green Life 的喜欢:

IT 计算机&信息网络 技术:

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities


Domain:
http://espn.go.com/


“ESPN (originally an acronym for Entertainment and Sports Programming Network) is a U.S.-based global cable and satellite television channel that is owned by ESPN Inc., a joint venture between The Walt Disney Company (which operates the network, through its 80% controlling ownership interest) and Hearst Corporation (which holds the remaining 20% interest). The channel focuses on sports-related programming including live and recorded event telecasts, sports news and talk shows, and other original programming.


ESPN broadcasts primarily from studio facilities located in Bristol, Connecticut. The network also operates offices in Miami, New York City, Seattle, Charlotte, and Los Angeles. John Skipper currently serves as president of ESPN, a position he has held since January 1, 2012. While ESPN is one of the most successful sports networks, it has been subject to criticism, which includes accusations of biased coverage, conflict of interest, and controversies with individual broadcasters and analysts. ESPN headquarters in Bristol, Connecticut. As of February 2015, ESPN is available to approximately 94,396,000 paid television households (81.1% of households with at least one television set) in the United States. In addition to the flagship channel and its seven related channels in the United States, ESPN broadcasts in more than 200 countries, operating regional channels in Australia, Brazil, Latin America and the United Kingdom, and owning a 20% interest in The Sports Network (TSN) as well as its five sister networks and NHL Network in Canada.”(Wikipedia)


Vulnerability description:
Espn.go.com has a cyber security bug problem. It is vulnerable to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN’s “login” & “register” pages that are credible. Attackers can abuse those links to mislead ESPN’s users. The success rate of attacks may be high.


During the tests, besides the links given above, large number of ESPN’s links are vulnerable to those attacks.


The programming code flaw occurs at “espn.go.com”’s “login?” & “register” pages with “redirect” parameter, i.e.

http://streak.espn.go.com/en/login?redirect=

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com

http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=

https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/



Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8.



Disclosed by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.  (@justqdjing)
http://www.tetraph.com/wangjing/





“The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and Open Redirect vulnerabilities and cyber intelligence recommendations.




(1) XSS Web Security Vulnerability
XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

  • Identity theft

  • Accessing sensitive or restricted information

  • Gaining free access to otherwise paid for content

  • Spying on user’s web browsing habits

  • Altering browser functionality

  • Public defamation of an individual or corporation

  • Web application defacement

  • Denial of Service attacks




Detail:
http://seclists.org/fulldisclosure/2014/Dec/36




More Details:
http://lists.openwall.net/full-disclosure/2014/12/09/6
http://marc.info/?l=full-disclosure&m=141815942329008&w=4
https://packetstormsecurity.com/files/129450/espngocom-xssredirect.txt
http://inzeed.tumblr.com/post/118510896051/webcabinet-espn-are-suffering
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts/EdBhzmtNLts
https://www.facebook.com/pcwebsecurities/posts/701707826641804
https://hackertopic.wordpress.com/2014/12/17/espn-espn-go-com-
http://lifegreen.lofter.com/post/1cfbf37e_731a270
http://tetraph.blog.163.com/blog/static/234603051201555111422339/
http://frenchairing.blogspot.fr/2015/06/espn-espngocom-login-register-page-xss.html
http://webtech.lofter.com/post/1cd3e0d3_6e6902d
https://twitter.com/essayjeans/status/606833415166394368
https://www.facebook.com/tetraph/posts/1659649470921679
http://www.weibo.com/1644370627/Clc3JaGP7?from=page_1005051644370627
http://russiapost.blogspot.ru/2015/06/espn-espngocom-login-register-page-xss.html
http://ithut.tumblr.com/post/120779685303/inzeed-espn-xss-open-redirect
https://progressive-comp.com/?l=full-disclosure&m=141815942329008&w=1
http://www.inzeed.com/kaleidoscope/xss-vulnerability/espn-xss-open-redirect/


转载自:白帽子计算机安全

Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities




Domains Basics:
Alibaba Taobao, AliExpress, Tmall are the top three online shopping websites belonging to Alibaba.



Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/






(1) Domains Descriptions:
(1.1) Taobao

“Taobao is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group.” (Wikipedia)
“With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)
Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).



(1.2) AliExpress
"Launched in 2010, AliExpress.com is an online retail service made up of mostly small Chinese businesses offering products to international online buyers. It is the most visited e-commerce website in Russia" (Wikipedia)



(1.3) Tmall
"Taobao Mall, is a Chinese-language website for business-to-consumer (B2C) online retail, spun off from Taobao, operated in the People's Republic of China by Alibaba Group. It is a platform for local Chinese and international businesses to sell brand name goods to consumers in mainland China, Hong Kong, Macau and Taiwan." (Wikipedia)



(2) Vulnerability descriptions:
Alibaba Taobao AliExpress Tmall online electronic shopping website has a cyber security bug problem. It can be exploited by XSS and Covert Redirect attacks. 



Detail:
http://seclists.org/fulldisclosure/2015/Jan/100





Related Articles:
http://marc.info/?l=full-disclosure&m=142196709216464&w=4

https://packetstormsecurity.com/files/130074/alibaba-xssredirect.txt

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01603.html

http://blog.163.com/greensun_2006/blog/static/1112211220155461411426/

http://japanbroad.blogspot.com/2015/06/alibaba-taobao-aliexpress-tmall-online.html

https://www.facebook.com/permalink.php?story_fbid=1042316725808331&id=922151957824809

https://plus.google.com/u/0/110001022997295385049/posts/95LnymyZJd9

http://germancast.blogspot.com/2015/06/alibaba-taobao-aliexpress-tmall-online.html

http://www.weibo.com/5099722551/Cl0FZAzlv?from=page_1005055099722551_profile&type=comment

https://www.facebook.com/computersecurities/posts/384148665105259

https://itinfotechnology.wordpress.com/2015/01/31/alibaba-taobao-aliexpress-tmall

https://twitter.com/tetraphibious/status/606402733185245184

http://webtech.lofter.com/post/1cd3e0d3_72d5d2f

http://webcabinet.tumblr.com/post/120682398002/alibaba-taobao-aliexpress-tmall-online

https://inzeed.wordpress.com/2015/01/29/alibaba-taobao-aliexpress