Kaneva members create the digital version of themselves — avatars — and then meet up in a vibrant, 3D world based on the modern day. Every Kaneva member gets a Kaneva City Loft — their own 3D space — that they can decorate and furnish in their unique style. You can bring your favorite videos, photos, music, and games, and watch them on your 3D televisions. You can invite friends to hang out in your 3D home or meet up in any of Kaneva’s public spaces and chat in real-time. You can shop for the latest fashions or home decor, chat, dance, play games, watch TV and movies, and come back again and again to explore and have fun in an ever evolving world full of exciting people, places and entertainment.”
The vulnerability exists at "loginSecure.aspx" page with "logretURLNH" parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.
Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.
(1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is "http://www.tetraph.com/essaybeans/street_artists/clark_quay.html".Can suppose that this webpage is malicious.
Vulnerable URL:
https://www.kaneva.com/loginSecure.aspx?logretURLNH=https://shop.kaneva.com/MySales.aspx
POC:
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3A%2F%2Fwww.tetraph.com%2Fessaybeans%2Freflections%2Fsolitude.html
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fgoogle.com
Credit:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/
The vulnerability exists at "loginSecure.aspx" page with "logretURLNH" parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.
Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.
(1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is "http://www.tetraph.com/essaybeans/street_artists/clark_quay.html".Can suppose that this webpage is malicious.
Vulnerable URL:
https://www.kaneva.com/loginSecure.aspx?logretURLNH=https://shop.kaneva.com/MySales.aspx
POC:
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3A%2F%2Fwww.tetraph.com%2Fessaybeans%2Freflections%2Fsolitude.html
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fgoogle.com
Credit:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/
No comments:
Post a Comment