MailChimp, Olark, Kaneva online websites have computer cyber security bug problems. They can
be exploited by Open Redirect (Unvalidated Redirects and Forwards)
attacks. Here is the description of Open Redirect: "A web application
accepts a user-controlled input that specifies a link to an external
site, and uses that link in a Redirect. This simplifies phishing
attacks. An http parameter may contain a URL value and could cause the
web application to redirect
the request to the specified URL. By modifying the URL value to a
malicious site, an attacker may successfully launch a phishing scam and
steal user credentials. Because the server name in the modified link is
identical to the original site, phishing attempts have a more
trustworthy appearance." (From CWE)
(1) MailChimp’s Login Page Open Redirect Vulnerability
Poc Video:
The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]
When
a user clicks the URL ([1]) before login, the MailChimp “login page”
appears. The user needs to enter his/her username and password. When
this is done, the user could be redirected to a webpage different from
MailChimp.
(1.1) Use the following tests to illustrate the scenario painted above.
The
redirected webpage address is
“http://www.tetraph.com/essayjeans/poems/thatday.html”. We can suppose
that this webpage is malicious.
Poc Video:
The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]
http://login.mailchimp.com/?referrer=http://google.com [1]
When
a user clicks the URL ([1]) before login, the MailChimp “login page”
appears. The user needs to enter his/her username and password. When
this is done, the user could be redirected to a webpage different from
MailChimp.
(1.1) Use the following tests to illustrate the scenario painted above.
The
redirected webpage address is
“http://www.tetraph.com/essayjeans/poems/thatday.html”. We can suppose
that this webpage is malicious.
(2) Olark Open Redirect Vulnerability
The vulnerability exists at “image.png” page with “offline” parameter, i.e.
http://images-async.olark.com/status/9353-431-10-4341/image.png?online=http://static.olark.com/images/image-orangelark-available.png%20%20%20%20%20%20%20%20%20%20&offline=http://google.com
(2.1)Use one of webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.
The vulnerability exists at “image.png” page with “offline” parameter, i.e.
http://images-async.olark.com/status/9353-431-10-4341/image.png?online=http://static.olark.com/images/image-orangelark-available.png%20%20%20%20%20%20%20%20%20%20&offline=http://google.com
http://images-async.olark.com/status/9353-431-10-4341/image.png?online=http://static.olark.com/images/image-orangelark-available.png%20%20%20%20%20%20%20%20%20%20&offline=http://google.com
(2.1)Use one of webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.
(3) Kaneva Sign-in Page Open Redirect Vulnerability
The vulnerability exists at “loginSecure.aspx” page with “logretURLNH” parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
When
unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is
displayed. The victims need to enter their username and password. After
which, they will be redirected to a webpage different from Kaneva.
Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(3.1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.
The vulnerability exists at “loginSecure.aspx” page with “logretURLNH” parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
When
unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is
displayed. The victims need to enter their username and password. After
which, they will be redirected to a webpage different from Kaneva.
Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(3.1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.
The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks. These bugs were found by using URFDS.
Discover and Reporter:
Wang
Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
Source:
Discover and Reporter:
Wang
Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
Source: