CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

cit_e_net
 

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

Instruction Details:

(1) Vendor & Product Description:




Vendor:

Cit-e-Net

 

 

Product & Version:

Cit-e-Access

Version 6

 

 

Vendor URL & Download:

Cit-e-Net can be downloaded from here,

 

 

Product Introduction:

“We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.


Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It’s your choice! Please contact us at info@cit-e.net to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services.


Interactive Applications

Online Service Requests

Online Tax Payments by ACH electronic-check or credit card.

Online Utility Payments by ACH electronic-check or credit card.

Online General-Payments by ACH electronic-check or credit card.

Submit Volunteer Resume’s Online for the municipality to match your skills with available openings.”

 

 

 

(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities.

 

 

(2.1) The first programming code flaw occurs at “/eventscalendar/index.cfm?” page with “&DID” parameter in HTTP GET.

(2.2) The second programming code flaw occurs at “/search/index.cfm?” page with “&keyword” parameter in HTTP POST.

(2.3) The third programming code flaw occurs at “/news/index.cfm” page with “&jump2” “&DID” parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at “eventscalendar?” page with “&TPID” parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at “/meetings/index.cfm?” page with “&DID” parameter in HTTP GET.

 

 

 

 

(3) Solutions:

Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm

 

 

 

 

 

References:
http://seclists.org/fulldisclosure/2015/Feb/48
http://lists.openwall.net/full-disclosure/2015/02/13/2
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1587
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01683.html
https://computerpitch.wordpress.com/2015/06/07/cve-2014-8753/
http://webtechhut.blogspot.com/2015/06/cve-2014-8753.html
https://www.facebook.com/websecuritiesnews/posts/804176613035844
https://twitter.com/tetraphibious/status/607381197077946368
http://biboying.lofter.com/post/1cc9f4f5_7356826
http://shellmantis.tumblr.com/post/120903342496/securitypost-cve-2014-8753
http://itprompt.blogspot.com/2015/06/cve-2014-8753.html
http://whitehatpost.blog.163.com/blog/static/24223205420155710559404/
https://plus.google.com/u/0/113115469311022848114/posts/FomMK9BGGx2
https://www.facebook.com/pcwebsecurities/posts/702290949916825
http://securitypost.tumblr.com/post/120903225352/cve-2014-8753-cit-e-net
http://webtech.lofter.com/post/1cd3e0d3_7355910
http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://diebiyi.com/articles/security/cve-2014-8753/

 

 

 

CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

cybernewsalerts

 

CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

 

Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: InstantForum.NET

Vendor: InstantASP

Vulnerable Versions: v4.1.3   v4.1.1   v4.1.2   v4.0.0   v4.1.0   v3.4.0

Tested Version: v4.1.3   v4.1.1   v4.1.2

Advisory Publication: February 18, 2015

Latest Update: April 05, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9468

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 
 
 
 

Preposition Details:

(1) Vendor & Product Description:

Vendor:

InstantASP


 

Product & Version:

InstantForum.NET

v4.1.3   v4.1.1   v4.1.2   v4.0.0   v4.1.0   v3.4.0

 

Vendor URL & Download:

InstantForum.NET can be purchased from here,

http://docs.instantasp.co.uk/InstantForum/default.html?page=v413tov414guide.html

 

Product Introduction Overview:

“InstantForum.NET is a feature rich, ultra high performance ASP.NET & SQL Server discussion forum solution designed to meet the needs of the most demanding online communities or internal collaboration environments. Now in the forth generation, InstantForum.NET has been completely rewritten from the ground-up over several months to introduce some truly unique features & performance enhancements.”


“The new administrator control panel now offers the most comprehensive control panel available for any ASP.NET based forum today. Advanced security features such as role based permissions and our unique Permission Sets feature provides unparalleled configurable control over the content and features that are available to your users within the forum. Moderators can easily be assigned to specific forums with dedicated moderator privileges for each forum. Bulk moderation options ensure even the busiest forums can be managed effectively by your moderators.”


“The forums template driven skinning architecture offers complete customization support. Each skin can be customized to support a completely unique layout or visual appearance. A single central style sheet controls every aspect of a skins appearance. The use of unique HTML wrappers and ASP.NET 1.1 master pages ensures page designers can easily integrate an existing design around the forum. Skins, wrappers & master page templates can be applied globally to all forums or to any specific forum.”

 
 

(2) Vulnerability Details:

InstantForum.NET web application has a cyber security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. InstantForum has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, cyber intelligence, attack defense and solutions details related to important vulnerabilities.

 

(2.1) The first programming code flaw occurs at “&SessionID” parameter in “Join.aspx?” page.


(2.2) The second programming code flaw occurs at “&SessionID” parameter in “Logon.aspx?” page.

 
 
 
 

References:

https://tetraph.wordpress.com/2015/05/13/cve-2014-9468/

http://whitehatview.tumblr.com/post/118853357881/tetraph-cve-2014-9468-instantasp

CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

computer2

 

CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities
 

Exploit Title: vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: vBulletin Forum

Vendor: vBulletin

Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4

Tested Version: 5.1.3 4.2.2

Advisory Publication: February 12, 2015

Latest Update: February 26, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9469

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Writer and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

Preposition Details:

(1) Vendor & Product Description:

Vendor:

vBulletin

 

Product & Version:

vBulletin Forum

5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4

 
Vendor URL & Download:

vBulletin can be acquired from here,

 

Product Introduction Overview:

“vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.”

Since the initial release of the vBulletin forum product in 2000, there have been many changes and improvements. Below is a list of the major revisions and some of the changes they introduced. The current production version is 3.8.7, 4.2.2, and 5.1.3.

Simplified site set up and customization

The new Site Builder makes it easier than ever to build and manage a site. Customizable page templates, drag-and-drop configuration and in-line site editing simplify page layout. A variety of design themes can be easily selected.
Dynamic tools for content discovery

Customizable content modules provide enhanced content discovery, engaging users into deeper site visits. The vBulletin search has been re-architected to significantly improve the quality of its results, further facilitating content discovery.
Sleek new UI features activity stream and increased social engagement

Improved social functionality includes groups, new user profiles, comments functionality, an integrated messaging hub, social content curation, real-time updates and more.
Expanded photo and video capabilities

The new interface invites users to quickly post photos and video, expanding content on vBulletin sites. This media is then leveraged by being better integrated with the rest of a site’s content. User profiles provide an engaging aggregation of all media posted by them.
Category-leading mobile optimization

The integrated mobile-optimized version ensures smartphone visitors will stay longer and return.
Robust architecture

Improved architecture provides better performance and easier customization

Built-in SEO helps maximize search traffic

Easy-to-use upgrader tool available for vBulletin 3 and 4 sites, plus importer for sites on other forum software”

 

 

(2) Vulnerability Details:

vBulletin web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. vBulletion has patched some of them. Gmane (pronounced “mane”) is an e-mail to news gateway. It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list’s inclusion on the service. It has published suggestions, advisories, solutions related to important vulnerabilities.

(2.1) The programming code flaw occurs at “forum/help” page. Add “hash symbol” first. Then add script at the end of it.

 

 

 
 
 

References:

https://www.facebook.com/permalink.php?story_fbid=880689078636904&id=825031907535955&__mref=message_bubble

http://shellmantis.tumblr.com/post/118777939056/lifegrey-cve-2014-9469-vbulletin-xss#notes

http://testingcode.lofter.com/post/1cd26eb9_6eec951

https://www.facebook.com/permalink.php?story_fbid=661392814005834&id=594347777377005&__mref=message_bubble

http://tetraph.blogspot.com/2015/05/cve-2014-9469-vbulletin-xss-cross-site.html

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2014-9469-vbulletin-xss/

https://www.facebook.com/computersecurities/posts/375780759275383?
http://tetraph.lofter.com/post/1cc758e0_6eeac27

https://plus.google.com/102963385033389079817/posts/1ACxSMZYmCS

http://computerobsess.blogspot.com/2015/05/cve-2014-9469-vbulletin-xss-cross-site.html

https://twitter.com/justqdjing/status/598116948245807105

 

 

 

 

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

101770458-497953315.530x298

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities



Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.*   4.*.0.*

Tested Version: 5.*.0.*   4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Information Details:



(1) Vendor & Product Description:



Vendor:

SuperWebMailer




Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875



Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/




Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”


“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”


“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”






(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. 



Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.


(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.










Related Work:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html






About Group 超过 99.88% 的链接容易遭受 XSS 和 XFS 攻击

2607064191

 
About Group 网站有一个严重的网络安全问题,它容易遭受 XSS (跨站脚本漏洞) XFS (跨Frame脚本漏洞)。这对它的近10亿月访问用户是灾难和毁灭性的。

 

根据漏洞研究者发布的结果POC视频,所有About.com的话题(子域名)都可以被攻击者利用。

 

新加坡南洋理工大学 (NTU) 数学和物理学院 (SPMS) 数学系 (MAS) 的王晶 (Wang Jing) 发布了这个严重的安全漏洞。王晶声称在2014年10月19号,他向 About Group 做了报告,但是迄今为止一直没有收到回复。漏洞的发布时间是2015年2月2号。“到现在为止,漏洞还没有被修复” 王晶说。

 

与此同时,王晶披露 About.com 主页面的搜索域也容易遭受 XSS 攻击。除此之外,他还发布了一些 About.com 的公开重定向漏洞 (Open Redirect). 王说他的测试是在 Windows 8 的 IE (10.0.9200.16750) 和 Mozilla 的 Firefox (34.0), Ubuntu (14.04) 的 Google Chromium 39.0.2171.65-0, 以及 Mac OS X Lion 10.7 的 Apple Safari 6.1.6 上进行的。

 

XSS (Cross- site Scripting) 可以用来窃取用户信息,控制用户浏览器,和进行 DOS (Denial of Service) 攻击。 XFS (Cross-frame Scripting) 也叫 iFrame Injection,可以修改用户浏览器页面内容。

 

在发布漏洞的同时,王晶还说明因为 About Group 的普遍性,它的漏洞可以用来对其他网站进行隐蔽重定向攻击 (Covert Redirect);XFS 则可以用来对计算机和网络进行 DDOS (Distributed Denial of Service) 黑客攻击。这些漏洞发布在著名漏洞平台 Full-Disclosure 上和他的个人博客上。

 

王晶是一名学生安全研究人员。他发布了包括谷歌,脸书,亚马逊,阿里巴巴,电子湾,领英等多家公司网站的重要漏洞以及大量网络应用程序的补丁。
 

 
 
 

相关新闻:
http://www.zdnet.com/article/over-99-percent-of-about-com-links-vulnerable-to-xss-xfs-iframe-attack/
http://www.securityweek.com/xss-xfs-open-redirect-vulnerabilities-found-aboutcom
http://securityaffairs.co/wordpress/33070/hacking/com-affected-xss-xfs-open-redirect-vulnerabilities-since-october-2014.html
http://packetstormsecurity.com/files/130211/About.com-Cross-Site-Scripting.html
http://www.zoomit.ir/it-news/security/17394-about-com-links-vulnerable-to-xss-xfs
http://itsecurity.lofter.com/post/1cfbf9e7_6f05a63
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
http://securitypost.tumblr.com/post/118837857592/about-group-99-88-xss-xfs-about
http://www.inzeed.com/kaleidoscope/computer-security/about-group-xss-xfs/
https://www.secnews.gr/99percent-about-xss-xfs-attack-exploit
http://www.decomoadesinstalar.com/abrir-codigo-iframe-xss-xfs-ataque-mas-del-99-por
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1547
http://www.40kalagh.net/about-grope-xss-and-xfs
http://blog.norsecorp.com/2015/02/03/about-com-platform-rife-with-xss-and-iframe-injection-vulnerabilities/

CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Web Security Vulnerabilities

18638880

CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Web Security Vulnerabilities


Exploit Title: OptimalSite CMS /display_dialog.php image Parameter XSS Web Security Vulnerability

Vendor: OptimalSite

Product: OptimalSite Content Management System (CMS)

Vulnerable Versions: V.1 V2.4

Tested Version: V.1 V2.4

Advisory Publication: January 24, 2015

Latest Update: January 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9562

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Credit: Jing Wang [School of Physical and Mathematical Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)





Suggestion Details:

(1) Vendor & Product Description

Vendor:

OptimalSite


Product & Version:

OptimalSite Content Management System (CMS)

V.1

V2.4


Vendor URL & Download:

The product can be obtained from here,

http://www.optimalsite.com/en/


Product Description Overview:

“Content management system OptimalSite is an online software package that enables the management of information published on a website. OptimalSite consists of the system core and integrated modules, which allow expanding website possibilities and functionality. You may select a set of modules that suits your needs best.


Website page structure

Website page structure is presented in a tree structure similar to Windows Explorer, so that several page levels can be created for each item on the menu. The website’s structure itself can be easily edited: you can create new website pages, delete unnecessary ones, and temporarily disable individual pages.


Website languages

OptimalSite may be used to create a website in different languages, the number of which is not limited. Different information may be presented in each separate language and the structure of pages in each language may also differ.


WYSIWYG (What You See Is What You Get) text editor

Using this universal text editor makes posting and replacing information on the website effortless. Even a minimum knowledge of MS Word and MS Excel will make it easy to use the tools of WYSIWYG text editor and implement your ideas.


Search function in the system

By using search function system’s administrator is able to find any information that is published in administrative environment. It is possible to execute a search in the whole system and in separate its’ modules as well.


Recycle bin function

System administrator is able to delete useless data. All deleted data is stored in recycle bin, so administrator can restore information anytime. “




(2) Vulnerability Details:

OptimalSite web application has a computer security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other the similar product 0-day vulnerabilities have been found by some other bug hunter researchers before. OptinalSite has patched some of them. “Openwall software releases and other related files are also available from the Openwall file archive and its mirrors. You are encouraged to use the mirrors, but be sure to verify the signatures on software you download. The more experienced users and software developers may use our CVSweb server to browse through the source code for most pieces of Openwall software along with revision history information for each source file. We publish articles, make presentations, and offer professional services.” Openwall has published suggestions, advisories, solutions details related to XSS vulnerabilities.


(2.1) The code programming flaw occurs at “&image” parameter in “display_dialog.php” page.






http://lists.openwall.net/full-disclosure/2015/02/02/3

http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1546

https://zuiyuxiang.wordpress.com/2015/05/10/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-security-vulnerabilities/

http://frenchairing.blogspot.com/2015/05/cve-2014-9562-optimalsite-content.html

http://tetraph.blog.163.com/blog/static/234603051201541082835108/

https://www.facebook.com/permalink.php?story_fbid=1623045457913931&id=1567915086760302

https://twitter.com/buttercarrot/status/597377286996791299

http://www.weibo.com/5099722551/ChdSxaqGR?ref=home&rid=4_0_1_2669612892358968742&type=comment

https://plus.google.com/113115469311022848114/posts/9mdeMorsS2C

http://ittechnology.lofter.com/post/1cfbf60d_6e93c47

http://itinfotech.tumblr.com/post/118602673596/securitypost-cve-2014-9562-optimalsite-content

CVE-2015-1475 – My Little Forum Multiple XSS Web Security Vulnerabilities

computer-security-art

CVE-2015-1475  – My Little Forum Multiple XSS Web Security Vulnerabilities

Exploit Title: My Little Forum Multiple XSS Web Security Vulnerabilities

Vendor: My Little Forum

Product: My Little Forum

Vulnerable Versions: 2.3.3  2.2  1.7

Tested Version: 2.3.3  2.2  1.7

Advisory Publication: February 04, 2015

Latest Update: February 11, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-1475

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Credit: Jing Wang [School of Mathematical Sciences (001), University of Science and Technology of China (USTC)] (@justqdjing)


 
 
 

Recommendation Details:

(1) Vendor & Product Description
 

Vendor:

My Little Forum
 

Product & Version:

My Little Forum

2.3.3

2.2

1.7

 
Vendor URL & Download:

http://mylittleforum.net/

 
Product Description:

“my little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL.

Features

Usenet like threaded tree structure of the messages

Different views of the threads possible (classical, table, folded)

Categories and tags

BB codes and smilies

Image upload

Avatars

RSS Feeds

Template engine (Smarty)

Different methods of spam protection (can be combined: graphical/mathematical CAPTCHA, wordfilter, IP filter, Akismet, Bad-Behavior)

Localization: language files, time zone and UTF-8 support (see current version for already available languages)”


 
 

(2) Vulnerability Details:

My Little Forum  web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. My Little Forum has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to XSS vulnerabilities.

(2.1) The first programming code flaw occurs at “forum.php?” page with “&page”, “&category” parameters.

(2.2) The second programming code flaw occurs at “board_entry.php?” page with “&page”, “&order” parameters.

(2.3) The third programming code flaw occurs at  “forum_entry.php” page with “&order”, “&page” parameters.


 
 
 

References:

http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html

http://seclists.org/fulldisclosure/2015/Feb/15

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01652.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1553

http://packetstormsecurity.com/files/authors/11270

http://marc.info/?a=139222176300014&r=1&w=4

http://lists.openwall.net/full-disclosure/2015/02/03/2

http://essaybeans.blogspot.com/2015/05/cve-2015-1475-my-little-forum-multiple.html

http://www.osvdb.org/creditees/12822-wang-jing

https://infoswift.wordpress.com/2015/05/12/cve-2015-1475-my-little-forum-multiple-xss-web-security-vulnerabilities/

https://twitter.com/tetraphibious/status/597971919892185088

http://japanbroad.blogspot.jp/2015/05/cve-2015-1475-my-little-forum-multiple.html

https://www.facebook.com/tetraph/posts/1649600031926623

http://user.qzone.qq.com/2519094351/blog/1431403836

https://www.facebook.com/permalink.php?story_fbid=460795864075109&id=405943696226993

https://plus.google.com/+wangfeiblackcookie/posts/Sj63XDPhH1j

http://essayjeans.blog.163.com/blog/static/2371730742015412037547/#

http://whitehatpost.lofter.com/post/1cc773c8_6ed5839

http://whitehatview.tumblr.com/post/118754859716/cve-2015-1475-my-little-forum-multiple-xss-web

 

Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities

aliexpress_1


Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities



Domains Basics:

Alibaba Taobao, AliExpress, Tmall are the top three online shopping websites belonging to Alibaba.





Vulnerability Discover:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/




(1) Domains Descriptions:

“Taobao is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group.” (Wikipedia)

“With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)

Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).



“Launched in 2010, AliExpress.com is an online retail service made up of mostly small Chinese businesses offering products to international online buyers. It is the most visited e-commerce website in Russia” (Wikipedia)



“Taobao Mall, is a Chinese-language website for business-to-consumer (B2C) online retail, spun off from Taobao, operated in the People’s Republic of China by Alibaba Group. It is a platform for local Chinese and international businesses to sell brand name goods to consumers in mainland China, Hong Kong, Macau and Taiwan.” (Wikipedia)

 

 

(2) Vulnerability descriptions:

Alibaba Taobao AliExpress Tmall online electronic shopping website has a cyber security bug problem. It can be exploited by XSS and Covert Redirect attacks.

 

 

(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS

The vulnerability can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7.

 

 

(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS (cross site scripting) Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/justqdjing/ )-‘”;&redirect=0

POC Video:

Blog Details:




(3.2)Alibaba AliExpress Online Electronic Shopping Website (Aliexpress.com) XSS Security Vulnerabilities

The vulnerabilities occur at “landing.php?” page with “cateid” “fromapp” parameters, e.g

POC Code:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

POC Video:

Blog Details:




(3.3) Alibaba Tmall Online Electronic Shopping Website (Tmall.com) XSS Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

POC Video:

Blog Details:

 

This vulnerabilities were disclosed at Full Disclosure. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” All the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards.

 

 

(4) Alibaba Taobao(taobao.com)Covert Redirect Security Vulnerability Based on Apple.com



(4.1) Vulnerability description:

Alibaba Taobao has a security problem. It can be exploited by Covert Redirect attacks. Taobao will check whether the redirected URL belongs to domains in Taobao’s whitelist, e.g.

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Taobao directly.

In fact, Apple.com was found can be exploited by Open Redirect vulnerabilities. Those vulnerabilities details will be published in the near future.



(4.2) The vulnerability occurs at “redirect.htm?” page, with parameter “&url”, i.e.

The vulnerabilities can be attacked without user login. Tests were performed on IE (10.0) of Windows 8, Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(4.3) Use a website for the tests,the redirected webpage is “http://www.tetraph.com/blog“. Just suppose it is malicious.

Vulnerable URL:

POC Code:

Poc Video:

Blog Detail:

 

 

Those vulnerablities were reported to Alibaba in 2014 and have been patched by the security team (just checked). Name was listed in the hall of fame by Alibaba.
http://security.alibaba.com/people.htm?id=2048213134

 

 

 

 

https://www.facebook.com/websecuritiesnews/posts/802525526534286

https://www.facebook.com/permalink.php?story_fbid=841091885926189&id=767438873291491

https://infoswift.wordpress.com/2015/01/27/alibaba-xss-open-redirect/

http://tetraph.blog.163.com/blog/static/2346030512015545132356/

 

 



========================================================







阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞

 

 

域名:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 是阿里巴巴集团最大的前三家网上购物电子商务网站.

 

 

(1) 漏洞描述:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 有一个安全问题. 它容易遭受 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞攻击.

漏洞不需要用户登录,测试是基于Windows 7 的 IE (8.0. 7601) 和 Ubuntu (14.04) 的 Firefox (34.0)。

 

 

(1.1) 阿里巴巴 淘宝 线上电子购物网 (Taobao.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/tetraph/ )-‘”;&redirect=0

 

 

(1.2) 阿里巴巴 全球速卖通 在线交易平台 (aliexpress.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “mobile_325_promotion_landing.php”, 参数 “cateid” 和 “fromapp” e.g.

POC:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

 

 

(1.3) 阿里巴巴 天猫 线上电子购物网 (Tmall.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

 

 

(2) 阿里巴巴淘宝线上电子购物网(taobao.com)Covert Redirect(隐蔽重定向跳转)安全漏洞基于 苹果网站

 

 

(2.1) 漏洞描述:

阿里巴巴 淘宝购物网 有一个安全问题. 它容易遭受 Covert Redirect (Open Redirect 公开重定向) 漏洞攻击. 所有 属于 Apple.com 的 链接都在白名单内。故而如果 苹果的 网站 本身有 公开重定向问题。那么受害者相当于首先被导向到 苹果官网然后 到 有害网站。 事实上苹果网站被发现有公开重定向问题,过段时间会公布细节。

有漏洞的文件是 “redirect.htm?”, 参数 “&url”, i.e.

这个漏洞不需要用户登录。测试是基于Windows 8 的 IE (10.0) 和 Ubuntu (14.04) 的 Firefox (34.0) 及 Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit),Mac OS X Lion 10.7 的 Safari 6.1.6。

 

 

(2.2) 用一个创建的网页进行测试,这个网页是“http://www.tetraph.com/blog“。可以假定这个页面是有害的。

漏洞网址:

POC 代码:

 

这些漏洞在2014年被报告给阿里巴巴安全应急中心,到今天已被修补 (刚刚检查), 名字被列在了白帽子名单感谢表里。
http://security.alibaba.com/people.htm?id=2048213134

 

漏洞发现者:
王晶, 数学科学系 (MAS), 物理与数学科学学院 (SPMS), 南洋理工大学 (NTU), 新加坡.
http://www.tetraph.com/wangjing/

 

 

 

Times of India website vulnerable to Cross Site Scripting (XSS) attacks

Times of India website vulnerable to Cross Site Scripting (XSS) attacks


 

India’s premier daily and popular website, Times of India is vulnerable to critical cross site scripting (XSS) attacks. Times of India which operates a website called indiatimes.com is a top news website in India and elsewhere.

 

 

hacking-home-router

 

 

The XSS vulnerability in the Times of India website was discovered by Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. He has found that the vulnerability occurs at Indiatimes’s URL links. Indiatimes only party filters the filenames in its website. Jing says due to this almost all URLs under Indiatimes’s “Photogallery” and “Top-lists” topics are affected by this vulnerability.

 

 

Detail Link:
http://www.techworm.net/2014/12/times-india-website-vulnerable-cross-site-scripting-xss-attacks.html

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

cnn_travel_city_xss1

 

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

 

Domain:
http://cnn.com

 

“The Cable News Network (CNN) is an American basic cable and satellite television channel that is owned by the Turner Broadcasting System division of Time Warner. The 24-hour cable news channel was founded in 1980 by American media proprietor Ted Turner. Upon its launch, CNN was the first television channel to provide 24-hour news coverage, and was the first all-news television channel in the United States. While the news channel has numerous affiliates, CNN primarily broadcasts from the Time Warner Center in New York City, and studios in Washington, D.C. and Los Angeles, its headquarters at the CNN Center in Atlanta is only used for weekend programming. CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories. As of February 2015, CNN is available to approximately 96,289,000 cable, satellite and, telco television households (82.7% of households with at least one television set) in the United States.” (Wikipedia)

 

Discovered and Reported by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

Vulnerability Description:
CNN has a cyber security bug problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect (Unvalidated Redirects and Forwards) attacks.

 

Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities.

 

According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

 

After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN’s website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

 

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007.

 

 

“The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.”

 

cnn_open_redirect_complain_meitu_1

Figure from ehackingnews.com

 

At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.

 

 

(1) CNN (cnn.com) Travel-City Related Links XSS (cross site scripting) Web Security Bugs

 

Domain:
travel.cnn.com/

 

Vulnerability Description:
The programming bug flaws occur at “/city/all” pages. All links under this URL are vulnerable to XSS attacks, e.g

 

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

  • Identity theft
  • Accessing sensitive or restricted information
  • Gaining free access to otherwise paid for content
  • Spying on user’s web browsing habits
  • Altering browser functionality
  • Public defamation of an individual or corporation
  • Web application defacement
  • Denial of Service attacks

 

The code programming flaw can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.

 

cnn_travel_xss

 

PoC:

http://travel.cnn.com/city/all/all/tokyo/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

 

http://travel.cnn.com/city/all/all/bangkok/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

 

 

(2) CNN cnn.com ADS Open Redirect Web Security Bug

 

Domain:
ads.cnn.com

 

Vulnerability Description:
The programming code flaw occurs at “event.ng” page with “&Redirect” parameter, i.e.

 

From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

(2.1) Use the following tests to illustrate the scenario painted above.

 

The redirected webpage address is “http://webcabinet.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

 

POC:

 

Since CNN is well-known worldwide, this vulnerability can be used to do “Covert Redirect” attacks to other websites.

 

Those vulnerabilities were reported to CNN in early July by Contact from Here. But they are still not been patched yet.
http://edition.cnn.com/feedback/#cnn_FBKCNN_com

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Dec/128
http://lists.openwall.net/full-disclosure/2014/12/29/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1395
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://securitypost.tumblr.com/post/107868680057/ithut-cnn-cnn-com-travel
http://ittechnology.lofter.com/post/1cfbf60d_5500df0
http://ithut.tumblr.com/post/120833062743/cnn-xss-url-redirection-bug
http://www.tetraph.com/blog/it-news/cnn-xss-url-redirect-bug/
https://biyiniao.wordpress.com/2015/01/08/cnn-xss-open-redirect-bug/
http://whitehatpost.blog.163.com/blog/static/24223205420155613753998/
https://plus.google.com/u/0/+wangfeiblackcookie/posts/bFkukxiUfXK
https://www.facebook.com/permalink.php?story_fbid=674936469318135
http://tetraph.blogspot.com/2015/06/cnn-xss-redirect-bug.html
http://diebiyi.com/articles/news/cnn-xss-url-redirect-bug/
https://twitter.com/yangziyou/status/607060937309159425
https://redysnowfox.wordpress.com/2014/12/31/cnn-xss-url-redirect-bug/
https://www.facebook.com/permalink.php?story_fbid=1043534509019886
http://whitehatpost.lofter.com/post/1cc773c8_7338196
http://securityrelated.blogspot.com/2014/12/cnn-cnncom-travel-xss-and