lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+CewVB_e9vaa-+j34GfZzUi0N4g+BX52XzZ9x0YPidbr9nvoA@mail.gmail.com>
Date: Wed, 19 Feb 2014 03:26:52 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Sinopec Ltd. (XSS) Web App Vulnerabilities

   _____  .___  _________
  /  _  \ |   |/   _____/
 /  /_\  \|   |\_____  \
/    |    \   |/        \
\____|__  /___/_______  /
        \/            \/  Corporation



China's Petroleum & Chemical Corporation, (SINOPEC Limited)
============================================================

Published Report: 19/02/2014


Credits: Advanced Information Security Corporation, USA

Severity: High/Critical (OWASP TOP 10)

Type: Web Application / Reflected Cross-Site Scripting Attack.


Author: Nicholas Lemonias. (Information Security Expert)


Vendor Overview
===========================
China Petroleum & Chemical Corporation, or Sinopec Limited, is a Chinese
oil and gas company based in Beijing, China.
 It is listed in Hong Kong and also trades in Shanghai and New York.
Sinopec is the world's fifth biggest company by revenue.
Sinopec Limited's parent, Sinopec Group, is one of the major petroleum
companies in China, headquartered in Chaoyang District, Beijing.
Sinopec's business includes oil and gas exploration, refining, and
marketing; production and sales of petrochemicals, chemical fibers,
chemical fertilizers, and other chemical products; storage and pipeline
transportation of crude oil and natural gas; import, export and
import/export agency business of crude oil, natural gas, refined oil
products, petrochemicals, and other chemicals.
In 2011 it ranked as the 5th largest company in sales in Forbes Global 2000.
In 2009, it was ranked 9th by Fortune Global 500 becoming the first Chinese
corporation to make the top ten and in 2010 it was ranked 7th.
In 2007, it ranked first in the Top 500 Enterprises of China ranking.
Sinopec is the largest oil refiner in Asia by annual volume processed.
Sinopec produces around 1/4 as much raw crude oil as PetroChina, but
produces 60% more refined products per annum.
Sinopec has an astonishing revenue of 2.786 trillion CN income.




Responsible Disclosure Timeline

======================================

 [+] 21st of December 2013 - Contacted Vendor regarding the security
realisation.

 [+] 25th of December 2013 - The Vendor verified & fixed the problem.




Description of the security realisation
=========================================
Visitors and users alike entrust the provider's website by default.
Therefore the investor center directory in the public-facing online
environment
is vulnerable to a reflect cross-site scripting atack. Visitors to the site
could be affected by this vulnerabiltiy.
 A page in the scope of searching through stock-exchange price shares of
the company, for investors, is vulnerable to an input validation
vulnerability.
The path fragment  /investor_center/historyQuery.jsp.  does not filter
metacharacters from user-input and allows injection and execution of
third-party heterogeneous code
 through the hidden POST request. The problem concludes to the reproduction
and execution of third-party untrusted code,thus exploiting the trust
levels and, Confidentiality
Integrity and Availability as per the requirements of best security
practise and standards, ISO (27001).

 Proof of Concept (1) / Affected Services
==========================================


http://english.sinopec.com/investor_center/historyQuery.
jsp?d=%22%20onmouseover%3dprompt%28313372%29%20abc%3d%
22&dayend=23&daystart=23&doSearch=true&endDate=2012-03-06&gid=1&monthend=3&
monthstart=3&range=1&startDate=2000-10-19&Submit2=
search&yearend=1967&yearstart=1967

Affected directory/script: /investor_center/historyQuery.jsp

Injected Code to path fragment:
/investor_center/historyQuery.jsp?d=%22%20onmouseover%3dprompt%28313372%29%20abc%3d%22"

1. Escaping previous fragment function:
2. Injection:
/investor_center/historyQuery.jsp?d=%22%20onmouseover%3dprompt%28313372%29%20abc%3d%22&dayend=23&daystart=23&doSearch=true&endDate=2012-03-06&gid=1&monthend=3&monthstart=3&range=1&startDate=2000-10-19&Submit2=search&yearend=1967&yearstart=1967

Description: On mouse over the affected link, and the injected code will be
executed. In this Proof-of-concept a prompt will alter the user's normal
execution flow and thus confidentiality, integrity and availability are
impacted.


 Proof of Concept (2)
==========================================
POST /investor_center/historyQuery.jsp HTTP/1.1
Content-Length: 209
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=abcrPc-q2uTfoa0OsvLxt
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Opera/7.54 (Windows NT 5.1; U)  [en]



Limitations Source Code (sample A)
==============================================
<INPUT type=hidden name=doSearch value="true">
< input type="hidden" name="d" value=" onmouseover=prompt(973979) bad=">
// line 8701 execution of the vulnerable


Recommendations provided for Quality of Service
===============================================
A. The recommendations that have been made to Sinopec Ltd were in good
faith and in support of the quality of service.
The technical recommendations made are therefore, to consider encrypting
the view-state of the application.
Furthermore to implement a stronger Cross-Site Scripting protection.
Apparently XSS filtering is not properly applied, and metacharacter
filtering allows data input over the HTTP protocol,
and the ability to inject third-party heterogeneous code, which is
untrusted, either in Java-Script, Active-X and Visual Basic Script.
Please note that malicious users could take advantage of such a bug, as we
have seen in notable cases of malware and
propagation instances.


B. Our  consultation to Sinopec Ltd was therefore, for an immediate risk
assessment and thus immediate review of upper-level security policies in
accordance to ISO 27001 and ISO 27002 which was followed kindly by the
team. Full review of ISMS policy scope and the SDLC of the vulnerable
application and other subsidiary pages.


 Appendices
============================
A. Suggested the filtering of metacharacters.
B. Suggested the utilisation User-server encoding of < and > to &lt; and
& gt; in application output.
C. An XSS attack could embrace mass user and product attacks, phishing
theft of private and confidential information such as credit cards,
passwords,
and stored accounts.
D. Suggested Filtering < and > and using appropriate encoding.
( and ) filtered and encoded to &#40; and &#41;,
Example:
# and & converted to &#35 (#) and &#38 (&).


References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP.  2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.



** This vulnerability report is posted for the wider benefit of the
security community, as is and without any warranties, including that of the
warranty of merchantability and capability fit for a particular purpose.
The information is posted under the FOI as per best security practises.


*Copyright Advanced Information Security Corp ©, 2014*

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ