浮生半日 烟火红尘 一念清净 烈焰成池

BeautifulNature3-610x320_diebiyi

 

“半生漂泊,每一次雨打归舟”,浮生半日,烟火红尘,也说饮鸩不止渴,然终是一杯清茶洗过尘心,弦拨心上,山岚依如茶杯上的云烟。谁是谁别了三生三世的影,两吊钱赎回的旧梦遗风,谁还醉唱挽歌浅斟一盏薄情,清酒一壶就醉生梦死了时光。
 
苦雪烹茶安然度过世界末日,许多人和事都重生了,我想我也会忘了那只乌鸦在末日的方舟上几番徘徊,飞过无痕,狮子却说爱我就让全世界都知道。爱是一场荨麻 疹,容我再洗净铅华,待千帆过尽。这一别两宽心,各生新欢喜。太阳升起的时候,举目四方宿命繁星。如陈亦迅唱那首苦瓜:当你干杯再举箸,突然间相看莞尔, 某萧瑟晚秋深夜,忽而明了了,而黄叶便碎落。
 
时间很短,天涯很远。自当终有弱水替三千。今宵请你多珍重,方配这半世流离醉笑三千场离散河两岸,江湖相忘。这杯烈酒下肚,碎一地离殇亦无需你刻意唱一曲骊歌摆渡,烟草的味道,风会把它稀释掉。
 
麦田几次成熟容我焚香安静的难过,心怀感恩,祈福。
 
诗经里说:一月气聚,二月水谷,三月驼云,四月裂帛,五月袷衣,六月莲灿,七月兰浆,八月诗禅,九月浮槎,十月女泽,十一月乘衣归,十二月风雪客。微雨突袭的三月桃花春柳拂面的桥头,可有良人云里衣衫?四月裂帛裂了思,陌上花谢了,可徐徐归么?
 
孰说世间所有的相遇都是久别重逢,亦记得某年某月某日小北说:我可以留着你,也可以放任自由。
 
 
 

期:浮世流光,惜物恋人。一念清净,烈焰成池。
 
寸寸云文不成文,如果是伤了春悲了秋,写一路醉,哭一路歌,扯断心神,终亦忘却寒山。诗人,你如山的行囊里数
 
不尽的人间烟柳可载得起这坛醉生梦死?
 
烟水悠悠,淡酒一盏,十二月风雪客,同年同月同日刮着同个方向同样度数的风,都已不是当时。我想我是在待着一位故人,他还没有来,也许在来的路途上,我且沏好了茶,待着,如此 就好。

 
 
 

转载自蝶比翼美文:
http://diebiyi.com/articles/essay/shishi/

Advertisements

Youth – Beautiful of Whole Life Time

marguerite-729510_640_inzeed

 

Youth is not a time of life; it is a state of mind; it is not a matter of rosy cheeks, red lips and supple knees; it is a matter of the will, a quality of the imagination, a vigor of the emotions; it is the freshness of the deep springs of life.

 

Youth means a temperamental predominance of courage over timidity, of the appetite for adventure over the love of ease. This often exists in a man of 60 more than a boy of 20. Nobody grows old merely by a number of years. We grow old by deserting our ideals.

 

Years may wrinkle the skin, but to give up enthusiasm wrinkles the soul. Worry, fear, self-distrust bows the heart and turns the spirit back to dust.

 

Whether 60 or 16, there is in every human being’s heart the lure of wonders, the unfailing appetite for what’s next and the joy of the game of living. In the center of your heart and my heart, there is a wireless station; so long as it receives messages of beauty, hope, courage and power from man and from the infinite, so long as you are young.

 

When your aerials are down, and your spirit is covered with snows of cynicism and the ice of pessimism, then you’ve grown old, even at 20; but as long as your aerials are up, to catch waves of optimism, there’s hope you may die young at 80.

 

 

From:
http://www.inzeed.com/kaleidoscope/life/youth/

KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

 

Exploit Title: KnowledgeTree login.php &errorMessage parameter Reflected XSS Web Security Vulnerability

Product: Knowledge Tree Document Management System

Vendor: Knowledge Inc

Vulnerable Versions: OSS 3.0.3b

Tested Version: OSS 3.0.3b

Advisory Publication: August 22, 2015

Latest Update: August 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

knowledge_tree_page

 

 

knowledge tree_xss

 

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

KnowledgeTree

 

Product & Vulnerable Versions:

Knowledge Tree Document Management System

OSS 3.0.3b

 

Vendor URL & Download:

Product can be obtained from here,
http://download.cnet.com/KnowledgeTree-Document-Management-System/3000-10743_4-10632972.html
http://www.knowledgetree.com/

 

Product Introduction Overview:

“KnowledgeTree is open source document management software designed for business people to use and install. Seamlessly connect people, ideas, and processes to satisfy all your collaboration, compliance, and business process requirements. KnowledgeTree works with Microsoft® Office®, Microsoft® Windows® and Linux®.”

 

 

 

 

(2) Vulnerability Details:

KnowledgeTree web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. KnowledgeTree has patched some of them. “Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, and almost all new vulnerabilities are discussed there.”. It has listed similar exploits, such as Bugtraq (Security Focus) 32920.

 

(2.1) The code flaw occurs at “&errorMessage” parameter in “login.php” page.

One similar bug is CVE-2008-5858. Its X-Force ID is 47529.

 

 

 

 

 

References:
http://seclists.org/oss-sec/2015/q3/458
http://tetraph.com/security/xss-vulnerability/knowledgetree-oss-3-0-3b-reflected-xss/
https://progressive-comp.com/?l=oss-security&m=144094021709472
https://infoswift.wordpress.com/2015/08/31/knowledge-tree-xss/
http://japanbroad.blogspot.jp/2015/08/knowledge-tree-bug-exploit.html
http://marc.info/?l=full-disclosure&m=144099659719456&w=4
http://tetraph.blog.163.com/blog/static/234603051201573144123156/
http://www.openwall.com/lists/oss-security/2015/08/30/2
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02446.html
http://itinfotech.tumblr.com/post/128016383831/knowledge-tree-xss
http://germancast.blogspot.com/2015/08/knowledge-tree-xss.html
http://permalink.gmane.org/gmane.comp.security.oss.general/17655
http://webtech.lofter.com/post/1cd3e0d3_806e1d4


 

关于山, 描写山的诗句 – 文中带山的经典古文

a-huge_hill-1514962

 

1.千山鸟飞绝,万径人踪灭。
(柳宗元:《江雪》)
2.白日依山尽,黄河入海流。
(王之涣:《登鹳雀楼》)
3.会当凌绝顶,一览众山小。
(杜甫:《望岳》)
4.国破山河在,城春草木深。
(杜甫:《春望》)
5.空山不见人,但闻人语响。
(王维:《鹿柴》)

 

6.明月出天山,苍茫云海间。
(李白:《关山月》)
7.相看两不厌,只有敬亭山。
(李白《独坐敬亭山》)
8.种豆南山下,草盛豆苗稀。
(陶渊明:《归园田居》)
9.西北望长安,可怜无数山。青山遮不住,毕竟东流去。
(辛弃疾:《菩萨蛮?书江西造口壁》)
10.不识庐山真面目,只缘身在此山中。
(苏轼:《题西林壁》)

 

11.山光悦鸟性,潭影空人心。
(常建:(题破山寺后禅院))
12.晚风拂柳笛声残,夕阳山外山。
(李叔同:《送别》)
13.无限山河泪,谁言天地宽。
(夏完淳:《别云间》)
14. 客路青山外,行舟绿水前。
( 王湾《次北故山下》)
15.飞来山上千寻塔,闻说鸡鸣见日升。
( 王安石《登飞来峰》)

 

16.山重水复疑无路,柳暗花明又一村。
(陆游:《游山西村》)
17.七八个星天外,两三点雨山前。
(辛弃疾〈西江月?夜行黄沙道中〉)
18.山回路转不见君,雪上空留马行处。
(岑参《白雪歌送武判官归京》)
19.两岸猿声啼不住,轻舟已过万重山。
(李白《早发白帝城》)
20.但使龙城飞将在,不教胡马度阴山。
(王昌龄《出塞》)

 

21.黄河远上白云间,一片孤城万仞山。
(王之涣《凉州词》)
22.采菊东篱下,悠然见南山。
(陶渊明:《饮酒》)
23.遥望洞庭山水色,白银盘里一青螺。
(刘禹锡:《望洞庭》)
24.青海长云暗雪山,孤城遥望玉门关。
(王昌龄《从军行》)
25.百川沸腾,山冢碎甭。高谷为岸,深谷为陵。
(《诗经》)

 

 

转载自 InZeed:
http://www.inzeed.com/kaleidoscope/essays/mountain/

有关于海的诗句 – 海纳百川 有容乃大

sea-2

 

1,白日依山尽,黄河入海流。——王之涣《登鹳鹊楼》

2,百川东到海,何时复西归?——乐府《长歌行》

3,乘风破浪会有时,直挂云帆济沧海。——李白《行路难》

4,春江潮水连海平,海上明月共潮生。——张若虚《春江花月夜》

5,大漠孤烟直,长河落日圆。——王维《使至塞上》

 

6,东临碣石,以观沧海。水何澹澹,山岛竦峙。——曹操《观沧海》

7,浮天沧海远,去世法舟轻。——钱起《送僧归日本》

8,俯首无齐鲁,东瞻海似杯。——李梦阳《泰山》

9,海内存知己,天涯若比邻。——王勃《送杜少府之任蜀州》

10,海日生残夜,江春入旧年。——王湾《次北固山下》

 

11,海上升明月,天涯共此时。——张九龄《望月怀古》

12,海水无风时,波涛安悠悠。——白居易《题海图屏风》

13,瀚海阑干百丈冰,愁云惨淡万里凝。——岑参《白雪歌送武判官归京》

14,君不见黄河之水天上来,奔流到海不复回。——李白《将进酒》

15,君不见走马川行雪海边,平沙莽莽黄入天。——岑参《走马川行奉送封大夫出师西征》

 

16,口衔山石细,心望海波平。——韩愈《精卫填海》

17,楼观沧海日,门对浙江潮。——宋之问《灵隐寺 》

18,茫茫东海波连天,天边大月光团圆。——黄遵宪《八月十五日夜太平洋舟中望月作歌》

19,三万里河东入海,五千仞岳上摩天。——陆游《秋夜将晓出篱门迎凉有感》

20,山水绕城春作涨,江涛入海夜通潮。——陈子澜《恩波桥诗》

 

21,小舟从此逝,江海寄余生。——苏轼《临江仙》

22,一雨纵横亘二洲,浪淘天地入东流。却余人物淘难尽,又挟风雷作远游。——梁启超《太平洋遇雨》

23,月下飞天镜,云生结海楼。——李白《渡荆门送别》

24,曾经沧海难为水,除却巫山不是云。——元稹《离思》

25,煮海之民何所营,妇无蚕织夫无耕。衣食之源太寥落,牢盆煮就汝轮征。柳永《煮海歌》

 

转载自 Tetraph:
http://www.tetraph.com/blog/articles/sea/

 

Sina Weibo OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

china

 

Sina Weibo OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

(1) Domain:
weibo.com

 

 

“Sina Weibo (NASDAQ: WB) is a Chinese microblogging (weibo) website. Akin to a hybrid of Twitter and Facebook, it is one of the most popular sites in China, in use by well over 30% of Internet users, with a market penetration similar to the United States’ Twitter. It was launched by SINA Corporation on 14 August 2009, and has 503 million registered users as of December 2012. About 100 million messages are posted each day on Sina Weibo. In March 2014, Sina Corporation announced a spinoff of Weibo as a separate entity and filed an IPO under the symbol WB. Sina retains 56.9% ownership in Weibo. The company began trading publicly on April 17, 2014. “Weibo” (微博) is the Chinese word for “microblog”. Sina Weibo launched its new domain name weibo.com on 7 April 2011, deactivating and redirecting from the old domain, t.sina.com.cn to the new one. Due to its popularity, the media sometimes directly uses “Weibo” to refer to Sina Weibo. However, there are other Chinese microblogging/weibo services including Tencent Weibo, Sohu Weibo and NetEase Weibo.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Weibo web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(2.1) Vulnerability Detail:

Weibo’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Weibo.

 

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

 

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

 

The vulnerabilities occurs at page “oauth2/authorize?” with parameter “&redirect_uri”, e.g.
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [1]

 

Before acceptance of third-party application:

When a logged-in Weibo user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

 

If a user has not logged onto Weibo and clicks the URL ([1]) above, the same situation will happen upon login.

 

After acceptance of third-party application:

A logged-in Weibo user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

 

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 

 

(2.1.1) Weibo would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

 

Hence, a user could be redirected from Weibo to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Weibo directly. The number of Weibo’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

 

Before acceptance of the third-party application, Weibo’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

 

Once the user accepts the application, the attackers could completely bypass Weibo’s authentication system and attack more easily.

 

Used one of webpages for the following tests. The webpage is “https://biyiniao.wordpress.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
cjcp.com.cn

 

Vulnerable URL in this domain:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Vulnerable URL from Weibo that is related to cjcp.com.cn:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code

 

POC:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dsina%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A5%2525AD%2525E6%252598%2525A5.html&response_type=code [2]

 

(2.2) Another method for attackers.


Attackers enter the following URL in browser,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

Then, attackers can get URL below,
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [3]

 

If users click URL [3], the same thing will happen as URL [2].

 

 

 

 

POC Video:
https://www.youtube.com/watch?v=eKozHxrk4js

 

 

Blog Detail:
http://tetraph.blogspot.com/2014/05/sina-weibo-oauth-20-covert-redirect.html

 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

Related Articles:
http://diebiyi.com/articles/security/covert-redirect/sinas-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
http://tetraph.com/security/covert-redirect/sina-weibo-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
https://redysnowfox.wordpress.com/2014/08/02/sina-exploit/
http://qianqiuxue.tumblr.com/post/118901060925/itinfotech-covert#notes
http://webtechhut.blogspot.com/2014/07/sina-bug.html
https://twitter.com/yangziyou/status/614745661704015873
http://tetraph.blog.163.com/blog/static/2346030512014463356551/
http://biboying.lofter.com/post/1cc9f4f5_706b6c3
http://frenchairing.blogspot.fr/2014/07/sina-hacking.html
http://www.inzeed.com/kaleidoscope/covert-redirect/sina-weibo-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
https://biyiniao.wordpress.com/2014/06/07/sina-research/

 

 

==========

 

新浪 微博 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
weibo.com

 

” 新浪微博是一个由新浪网推出,提供微型博客服务类的社交网站。用户可以通过网页、WAP页面、手机客户端、手机短信、彩信发布消息或上传图片。新浪可以把 微博理解为“微型博客”或者“一句话博客”。用户可以将看到的、听到的、想到的事情写成一句话,或发一张图片,通过电脑或者手机随时随地分享给朋友,一起 分享、讨论;还可以关注朋友,即时看到朋友们发布的信息” (百度百科)

 

 

(2) 漏洞描述:

新浪 微博 网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。


(2.1) 漏洞细节:
Weibo 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Weibo 对 OAuth 2.0 系统的 parameter “&redirect_uri“ 验证不够充分。可以用来构造对 Weibo 的 URL跳转 攻击。

与此同时,这个漏洞可以用下面的参数来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

“&response_type”=sensitive_info,token,code…

“&scope”=get_user_info%2Cadd_share…

 

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

漏洞地点 “oauth2/authorize?”,参数”&redirect_uri”, e.g.
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [1]

 

同意三方 App 前:

当一个已经登录的 Weibo 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&redirect_uri” 的 URL。


如果没有登录的 Weibo 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

同意三方 App 后:

已经登录的 Weibo 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

如果 Weibo 用户没有登录,攻击依然可以在要求他登录的Weibo的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)。

 


(2.1.1) Weibo 一般会允许属于已被验证过得三方 App domain 的所有 URLs。 然而,这些 URLs 可以被操控。比如,参数 “&redirect_uri” 是被三方 App 设置的,但攻击者可以修改此参数的值。

 

因此,Weibo 用户意识不到他会被先从 Weibo 跳转到第三方 App 的网页,然后从此网页跳转到有害的网页。这与从 Weibo 直接跳转到有害网页是一样的。

 

因为 Weibo 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

在同意三方 App 之前,Weibo 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

同意三方 App 后, 攻击者可以完全绕过 Weibo 的 URL跳转 验证系统。

 

 

用了一个页面进行了测试, 页面是 “http://tetraphlike.lofter.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

 

下面是一个有漏洞的三方 domain:
cjcp.com.cn

 

 

这个 domain 有漏洞的 URL:
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=Weibo&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A2%258E%25E5%25A4%258F.html

 

 

Weibo 与 cjcp.com.cn 有关的有漏洞的 URL:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code

 

 

POC:
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2F%3Fm%3Duser%26a%3DotherLogin%26type%3Dsina%26furl%3Dhttp%253A%252F%252Ftetraph.com%252Fessayjeans%252Fseasons%252F%2525E7%2525A5%2525AD%2525E6%252598%2525A5.html&response_type=code [2]

 

 



(2.2) 攻击的另一个方法.


攻击者在浏览器输入 URL,
http://uc.cjcp.com.cn/?m=user&a=otherLogin&type=sina&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Fseasons%2F%25E7%25A5%25AD%25E6%2598%25A5.html

 

然后,攻击者可以得到 URL,
https://api.weibo.com/oauth2/authorize?client_id=2021435350&redirect_uri=http%3A%2F%2Fuc.cjcp.com.cn%2Findex.php%3Fm%3DUser%26a%3Dcallback%26type%3Dsina&response_type=code [3]

 

如果用户点击 URL [3], 发生的事情和 URL [2] 一样.

 

 




(2.3)下面的 URLs 有同样的漏洞.
https://api.t.sina.com.cn/oauth2/authorize?client_id=496934491&redirect_uri=http%3A%2F%2Fwww.paidai.com%2Fsiteuser%2Foauth_sina.php%3Ffrom%3Dweibo&response_type=code

 

 

POC 视频:
https://www.youtube.com/watch?v=eKozHxrk4js

 

 

博客细节:
http://tetraph.blogspot.com/2014/05/sina-weibo-oauth-20-covert-redirect.html

 

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。

 

 

 

 



eBay Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

ebay-logo

eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:
ebay.com



“eBay Inc. (stylized as ebay, formerly eBay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries.

 

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services.” (Wikipedia)

 



(2) Vulnerability Description:

eBay web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability occurs at “ebay.com/rover” page with “&mpre” parameter, i.e.

http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://www.google.com

The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


 

 

 

(2.1) When a user is redirected from eBay to another site, eBay will check whether the redirected URL belongs to domains in eBay’s whitelist, e.g.
google.com

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from eBay to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from eBay directly.

 

One of the vulnerable domain is,
http://googleads.g.doubleclick.net (Google’s Ad system)

 

 

 

(2.2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. We can suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

Poc Video:
https://www.youtube.com/watch?v=a4H-u17Y9ks

 

Blog Detail:
http://securityrelated.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html



 

 



(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/