Friday, 22 August 2014

MailChimp’s Login, Olark, Kaneva Sign-in Page Unvalidated Redirects and Forwards 0day Vulnerability










 






 

MailChimp, Olark, Kaneva online websites have computer cyber security bug problems. They can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to  redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance." (From CWE)


 

 

 

(1) MailChimp’s Login Page Open Redirect Vulnerability

Poc Video:
The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]




When a user clicks the URL ([1]) before login, the MailChimp “login page” appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage different from MailChimp.




(1.1) Use the following tests to illustrate the scenario painted above.



The redirected webpage address is “http://www.tetraph.com/essayjeans/poems/thatday.html”.  We can suppose that this webpage is malicious.


 

 
 
 

 

(2) Olark Open Redirect Vulnerability







(2.1)Use one of webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.




 

 

 

 

(3) Kaneva Sign-in Page Open Redirect Vulnerability

The vulnerability exists at “loginSecure.aspx” page with “logretURLNH” parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.


Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.






(3.1) Use the following tests to illustrate the scenario  painted above.
The redirected webpage address is “http://www.tetraph.com/essaybeans/“.  Can suppose that this webpage is malicious.








The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks. These bugs were found by using URFDS.







Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)


Source:

Wednesday, 6 August 2014

Oracle Access Manager (CVE-2014-2404) WebGate Subcomponent Unspecified Remote Information Disclosure


CVE-2014-2404 Oracle Manager WebGate Subcomponent Unspecified Remote Information Disclosure



Exploit Title: Oracle Manager WebGate Subcomponent Unspecified Remote Information Disclosure
Product: Access Manager component in Oracle Fusion Middleware
Vendor: Oracle
Vulnerable Versions: 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, and 11.1.2.2.0
Advisory Publication: Apr 15, 2014
Latest Update: Apr 15, 2014
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: CVE-2014-2404
Risk Level: Medium
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) (legend)
Solution Status: Fixed by Vendor
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]




http://www.osvdb.org/show/osvdb/105842