lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <d921746b0902122025k2773a48dr71520b51b939ed4a@mail.gmail.com>
Date: Fri, 13 Feb 2009 12:25:09 +0800
From: militan c7 <militan.c7@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Security Advisory: Banks in Taiwan

==============================================
Security Advisory: Banks in Taiwan

militan (Lin, Chia-Jun)
militan.c7 [at] gmail.com
Advanced Defense Lab, NCU CSIE TAIWAN
12th February, 2009
==============================================


I. VULNERABILITY
-------------------------
Blind Command(SQL, LDAP) Injection
Information Leakage

Banks below are vulnerable:
Union bank of Taiwan. www.ubot.com.tw
SinoPac Securities. www.sinotrade.com.tw
prudential uk in Taiwan. www.pcafunds.com.tw


II. DESCRIPTION
-------------------------
Some banks or fund companies contain vulnerabilities while handling account
information,
it may cause information leakage.

Usually the input is sanitized indeed, but some specific pages do not
perform the validation properly.
Otherwise, sometimes error messages also show the architecture of web sites.


III. POC
-------------------------
1. Union bank: may be susceptible to blind injection.
http://adl.csie.ncu.edu.tw/~militan/Ubot1.jpg
http://adl.csie.ncu.edu.tw/~militan/Ubot2.jpg

2. prudential uk in Taiwan: Get information first(JNDI LDAP), then do the
LDAP injection.
http://adl.csie.ncu.edu.tw/~militan/PCAFunds1.jpg
http://adl.csie.ncu.edu.tw/~militan/PCAFunds2.jpg
http://adl.csie.ncu.edu.tw/~militan/PCAFunds3.jpg

3. SinoPac Securities: The page re-generates the password in Javascript.
It`s not a vulnerability, but a insecure behavior in programming.
http://adl.csie.ncu.edu.tw/~militan/SinoTrade.JPG


IV. SOLUTION& CONCLUSION
-------------------------
Strip all symbols in ANY input variable.
This advisory prove that sites of banks are not secure enough.
Vulnerabilities may be fixed up in a very short time because details were
sent to them already.


regards
--
militan
Advanced Defense Lab

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ