lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 21 Jun 2014 07:46:08 +0200
From: Adrien Jolibert <jolibert@...il.com>
To: Roberto Garcia Amoriz <roberto.garcia@...aramo.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] XSS on Panasonic site

Hello Roberto Garcia Amoriz,

Would you tell where resides the "XSS vulnerability". Need more
informations.

I understand you can trigger stuff such as exploit kits -i.e. using browser
vulns-, steal cookies, or play with browser JavaScript and HTML DOM.
Plus are you sure/checking cookies flags on these sites are not set to
HttpOnly/secure ? (clear your browser cache, make a new session, and look).

But when it is not a general public website with ++billions++ of users, how
would you trigger these reflected ones ?

The only practical case I see was that one, 2 years ago (?), against
Youtube and a stored (! not reflective) XSS.
That one was on comments.
From mind on every posts combined with the 0-day Microsoft help center, you
got SYSTEM (the gold account) access to any computers using M$ from youtube.
For god sake and mind, none made that one viral or had the idea, youtube
got it really close to get shut down, but still there.
That was making sense for a huge bot-net, plus thus reporting an XSS
vulnerability make it.

For your reporting, Spam ? The action of triggering is still the same you
need an user interaction clicking a link.
Viral ones ? You need an HTML post/get interaction, that is not the case of
yours, have you tried to trigger them ?
Get deeper dude, try harder ( :-) ).

I got more and more doubts about these vulnerabilities, you can be tricked
on these websites but now it is like clicking on "viagra link" or "free
lesbian videos" coming onto our in-box.
I see more tricking ones using web services, some sending mails; that may
be a factor.
Audits are just made from XSS/SQLi or other injections, just with nessus
scans or others, but none tries the business logic (like mad and poor
designed services).
That is mad, but It is always what I am looking first With modern
frameworks, failures resides on inner logic.

Have you tried using POST actions to see if you can get them and make them
viral ?

This is just a question, because I see a lot of +simples+ XSS coming from
you on this list,
I appreciate your contributions, you did good, don't look for a blame.
I am not blaming, and I am not the one who can. I appreciate what you make,
not like the others.
Just get deeper.

But it is becoming useless among real exploits that may help the monks here
using IDS and thinking they make good reading signatures (!  1337 idiots).
To these fools, I say, good luck being paid forever, Roberto Garcia know
much more as yours.




On Fri, Jun 20, 2014 at 3:04 PM, Roberto Garcia Amoriz <
roberto.garcia@...aramo.com> wrote:

>                                                                 - XSS on
> Panasonic site-
>
>
> ****************************************************************************
> ***************************************
> Advisory: security.panasonic.com – Cross-Site Script Vulnerability (XSS)
> Advisory ID:  969061
> Author: Roberto Garcia (@1gbDeInfo)
> Affected Software: Successfully tested on  security.panasonic.com Vendor
> URL: http://security.panasonic.com
> Vendor Status: reported 2 times but not solved
>
> ****************************************************************************
> ***************************************
>
>
> **************************
> Vulnerability Description
> **************************
>
> The website " security.panasonic.com " is prone to a XSS vulnerability.
>
> This vulnerability involves the ability to inject arbitrary and
> unauthorized
> javascript code. A malicious script inserted into a page in this manner can
> hijack the user’s session, submit unauthorized transactions as the user,
> steal confidential information, or simply deface the page.
>
>
> **************************
> PoC-Exploit
> **************************
>
>
>
> http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
> lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1
>
>
>
> http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
> lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8
>
>
> **************************
> Solution
> **************************
>
>   Reported 2 times but not solved
>
> **************************
> Disclosure Timeline
> **************************
>
> - Report vuln Jun 4, 2014 via email to samuel.garcia@....eu.panasonic.com
>
> - Reported again via web Jun 12, 2014. They answer me:
>
>         Dear Mr. Garcia,
>         Thank you for your prompt e-mail reply.
>         egarding your enquiry, I am writing to confirm having forwarded
> your
> message to the corresponding department.
>
>         Kind Regards,
>         Teo
>         Customer Service Team
>         Panasonic UK
>
> **************************
> Afected sites:
>
>   - vftr.panasonic.co.jp
>   - security.panasonic.com
>   - panasonic.ney
>
> **************************
>
>
> **************************
> Credits
> **************************
>
>
> ----------------------------------------------------------------------------
> --------------
> Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo)
>
> ----------------------------------------------------------------------------
> --------------
>
> Best regards.
>
> Roberto Garcia Amoriz
>
> Linkedin: es.linkedin.com/in/rogaramo/
> Web:  http://www.1gbdeinformacion.com
> Twitter: @1gbdeinfo
>
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists