WhiteHat Security View

URFDS: Systematic discovery of Unvalidated Redirects and Forwards in web applications

Author: Jing Wang, Hongjun Wu School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore Abstract: URL redirection is necessary in web applications. Well-designed redirection makes better user experience. However, if usedimproperly, it could give rise to attacks such as phishing. These improperly used redirections are called Unvalidated Redirects and Forwards (URF). This paper prescribes a mechanism to systemically discover URF vulnerabilities in web applications. The prototype implementation, that we call Unvalidated Redirects and Forwards Detection System (URFDS), uses a black-box scanning technique to modify URLs and analyse the generated output to identify URF. In order to show the feasible of our approach, we tested 142,522,691 unique links and found a great number of vulnerabilities in top websites and popular applications that were overlooked by previous works.

Daily mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem

Website Description: “The Daily Mail is a British daily middle-market tabloid newspaper owned by the Daily Mail and General Trust. First published in 1896 by Lord Northcliffe, it is the United Kingdom’s second biggest-selling daily newspaper after The Sun. Its sister paper The Mail on Sunday was launched in 1982. Scottish and Irish editions of the daily paper were launched in 1947 and 2006 respectively. The Daily Mail was Britain’s first daily newspaper aimed at the newly-literate “lower-middle class market resulting from mass education, combining a low retail price with plenty of competitions, prizes and promotional gimmicks”, and was the first British paper to sell a million copies a day. It was at the outset a newspaper for women, the first to provide features especially for them, and as of the second-half of 2013 had a 54.77% female readership, the only British newspaper whose female readers constitute more than 50% of its demographic. It had an average daily circulation of 1,708,006 copies in March 2014. Between July and December 2013 it had an average daily readership of approximately 3.951 million, of whom approximately 2.503 million were in the ABC1 demographic and 1.448 million in the C2DE demographic. Its website has more than 100 million unique visitors per month.” (Wikipedia)

One of its website’s Alexa rank is 93 on January 01 2015. The website is one of the most popular websites in the United Kingdom.

The Unvalidated Redirects and Forwards problem has not been patched, while the XSS problem has been patched.

(1) Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem

(1.1) Vulnerability Description: Daily online websites have a cyber security problem. Hacker can exploit it by Open Redirect (Unvalidated Redirects and Forwards) attacks. During the tests, all Daily mail websites (Daily Mail, Mail on Sunday & Metro media group) use the same mechanism. These websites include dailymail.co.uk, thisismoney.co.uk, and mailonsunday.co.uk.

Google Dork: “Part of the Daily Mail, The Mail on Sunday & Metro Media Group”

The vulnerability occurs at “&targetUrl” parameter in “logout.html?” page, i.e. http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fgoogle.com

(1.1.1) Use the following tests to illustrate the scenario painted above.

The redirected webpage address is “http://diebiyi.com/articles“. Can suppose that this webpage is malicious.

Vulnerable URLs: http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdailymail.co.uk http://www.thisismoney.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fhao123.com/ http://www.mailonsunday.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fpinterest.com

POC Code: http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles http://www.thisismoney.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles http://www.mailonsunday.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles

POC Video: https://www.youtube.com/watch?v=AU-HJGe5BWE&feature=youtu.be

Blog Details: http://tetraph.com/security/website-test/daily-mail-url-redirection/ http://securityrelated.blogspot.com/2015/10/daily-mail-registration-page.html

(1.1.2) The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64- bit) of Ubuntu (14.04.2)，and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

These bugs were found by using URFDS (Unvalidated Redirects and Forwards Detection System).

(1.2) Description of Open Redirect: Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)

(1.3) Vulnerability Disclosure: These vulnerabilities have not been patched.

(2) Daily Mail Website XSS Cyber Security Zero-Day Vulnerability

(2.1) Vulnerability description: DailyMail has a security problem. Criminals can exploit it by XSS attacks.

The vulnerability occurs at “reportAbuseInComment.html?” page with “&commentId” parameter, i.e. http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038

POC Code: http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=”><img src=x onerror=prompt(‘justqdjing’)>

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7

.

Poc Video: https://www.youtube.com/watch?v=Oig-ZrlJDf8&feature=youtu.be

Blog Detail: http://tetraph.com/security/web-security/daily-mail-xss-bug/ http://securityrelated.blogspot.com/2015/10/daily-mail-online-website-xss-cyber.html

(2.2) What is XSS? “Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.” (Wikipedia)

(2.3) Vulnerability Disclosure: This vulnerability has been patched.

Blog Details: http://tetraph.com/security/website-test/daily-mail-open-redirect-xss/ http://securityrelated.blogspot.com/2015/10/daily-mail-url-redirection-and-xss-bug.html https://vulnerabilitypost.wordpress.com/2015/10/30/daily-mail-url-redirect-xss/

Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing) http://www.tetraph.com/wangjing

Landscapes of Ronda, Málaga | Spain (by Nacho Coca)

VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug

Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web Security Vulnerability

Product: VuFind

Vendor: VuFind

Vulnerable Versions: 1.0

Tested Version: 1.0

Advisory Publication: September 20, 2015

Latest Update: September 25, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Caution Details:

(1) Vendor & Product Description:

Vendor:

VuFind

Product & Vulnerable Versions:

VuFind

1.0

Vendor URL & Download:

Product can be obtained from here, http://sourceforge.net/p/vufind/news/

Product Introduction Overview:

“VuFind is a library resource portal designed and developed for libraries by libraries. The goal of VuFind is to enable your users to search and browse through all of your library’s resources by replacing the traditional OPAC to include: Catalog Records, Locally Cached Journals, Digital Library Items, Institutional Repository, Institutional Bibliography, Other Library Collections and Resources. VuFind is completely modular so you can implement just the basic system, or all of the components. And since it’s open source, you can modify the modules to best fit your need or you can add new modules to extend your resource offerings. VuFind runs on Solr Energy. Apache Solr, an open source search engine, offers amazing performance and scalability to allow for VuFind to respond to search queries in milliseconds time. It has the ability to be distributed if you need to spread the load of the catalog over many servers or in a server farm environment. VuFind is offered for free through the GPL open source license. This means that you can use the software for free. You can modify the software and share your successes with the community! Take a look at our VuFind Installations Wiki page to see how a variety of organizations have taken advantage of VuFind’s flexibility. If you are already using VuFind, feel free to edit the page and share your accomplishments. ”

(2) Vulnerability Details:

VuFind web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. VuFind has patched some of them. “scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training”.

(2.1) The code flaw occurs at “lookfor?” parameter in “/vufind/Resource/Results?” page.

Some other researcher has reported a similar vulnerability here and VuFind has patched it. https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html

(3) Solution:

Update to new version.

KnowledgeTree OSS 3.0.3b Application Reflected XSS (Cross-site Scripting) Web Security 0Day Vulnerability

Exploit Title: KnowledgeTree login.php &errorMessage parameter Reflected XSS Web Security Vulnerability

Product: Knowledge Tree Document Management System

Vendor: Knowledge Inc

Vulnerable Versions: OSS 3.0.3b

Tested Version: OSS 3.0.3b

Advisory Publication: August 22, 2015

Latest Update: August 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Recommendation Details:

(1) Vendor & Product Description:

Vendor:

KnowledgeTree

Product & Vulnerable Versions:

Knowledge Tree Document Management System

OSS 3.0.3b

Vendor URL & Download:

Product can be obtained from here,

http://download.cnet.com/KnowledgeTree-Document-Management-System/3000-10743_4-10632972.html

http://www.knowledgetree.com/

Product Introduction Overview:

“KnowledgeTree is open source document management software designed for business people to use and install. Seamlessly connect people, ideas, and processes to satisfy all your collaboration, compliance, and business process requirements. KnowledgeTree works with Microsoft® Office®, Microsoft® Windows® and Linux®.”

(2) Vulnerability Details:

KnowledgeTree web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. KnowledgeTree has patched some of them. “Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, and almost all new vulnerabilities are discussed there.”. It has listed similar exploits, such as Bugtraq (Security Focus) 32920.

(2.1) The code flaw occurs at “&errorMessage” parameter in “login.php” page.

One similar bug is CVE-2008-5858. Its X-Force ID is 47529.

PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug

Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security Vulnerability

Product: PhotoPost PHP

Vendor: PhotoPost

Vulnerable Versions: 4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3

Tested Version: 4.8c  vB3

Advisory Publication: July 25, 2015

Latest Update: July 28, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Caution Details:

(1) Vendor & Product Description:

Vendor:

PhotoPost

Product & Vulnerable Versions:

PhotoPost PHP

4.8c  4.8.6  4.8.5  4.8.2  3.1.1  vB3

Vendor URL & Download:

Product can be obtained from here,

http://www.photopost.com/featuresphp.html

Product Introduction Overview:

“Your search to find the best photo gallery has led you to the most feature rich, best performing, and most widely used gallery available today. PhotoPost is the best way to offer your users the ability to upload, show off, share, discuss, and rate photos and videos on your site. We originally created PhotoPost in 2001 for TechIMO.com, our parent company’s own tech discussion website with 2 Million forum posts and 200,000 users, and within weeks we were inundated with requests, so we decided to develop it into a product. Over the past 8 years, PhotoPost has undergone more than 100 “dot” updates by a team of expert developers to add features, tweak performance, and maximize stability. Always in high demand, PhotoPost has been purchased by a staggering 14,500 websites. PhotoPost is most popular amongst vBulletin forum owners. That’s because we designed PhotoPost from the beginning to integrate efficiently with a website’s existing vBulletin forum, offering users one integrated login and registration instead of two, stylesheet integration, and other enhancements. But what PhotoPost does well for vBulletin owners, it does equally well for those that wish to integrate a gallery with many other forum types, or to simply add a photo gallery to their website with no forum at all. “

(2) Vulnerability Details:

PhotoPost PHP web application has a computer security problem. Hackers can exploit it by XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. PhotoPost PHP has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.

(2.1) The code flaw occurs at ”|utmcct” parameter in “__utmz” Cookie.

For example, if a victim clicks the link below.

http://localhost/gallery/showphoto.php/photo/846/sort/’“><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)>

The content of ”__utmz" cookie will be the following:

__utma 194200300.1295483682.1438243020.1438243020.1438245659.2

__utmc 194200300

__utmz 194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com|utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral

__qca P0-814178849-1438243024810

__utmb 194200300

bbsessionhash 1683dd3bd3edffbd8383db382f025eba

bblastvisit 1438246612

So the malicious code can work in the user’s browser for long time.

(2.2) Forum Integrations

“PhotoPost can optionally integrate as an add-on to an existing forum on your site, and we do this extremely well. PhotoPost is a perfect fit with a forum, because sharing and discussing photos within PhotoPost comes naturally for a forum community.

With our forum integration, your users will use their existing forum account to login to PhotoPost, without needing to register again and maintain a separate account. Additionally, we offer stylesheet integrations with several forums to easily setup your PhotoPost gallery to match your forum’s look and feel, and with vBulletin 3.x we offer several additional enhancements.”

Forum Software User Login Stylesheets Enhanced*

vBulletin 5.x  

vBulletin 4.x  

vBulletin 3.x  

Xenforo 1.x  

UBBThreads 6.X  

UBBThreads 7.X  

InvisionBoard 1.0  

InvisionBoard 2.0  

InvisionBoard 3.0  

FusionBB  

MyBB 1.0  

SMF 1.05 and up  

SMF 2.0 and up  

WowBB  

e107  

PHPBB 2.0  

PHPBB 3.0  

Wordpress 3.x  

vBulletin 2.x  

DCForums +  

IkonBoard  

Nuke  

PostNuke  

Mambo  

XMB Forums  

(Src: http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php)

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks Domain Description:  http://www.weather.com/ “The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather.  Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather.“ 

  "As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives.” (Wikipedia) Vulnerability description: The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs. 

  Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel’s URLs. Then the scripts will be executed. 

  10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks. 

  The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes. The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

Discovered by: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing) http://www.tetraph.com/wangjing

The New York Times  Old Articles Can Be Exploited by XSS Attacks (Almost all Article Pages Before 2013 Are Affected)

Domain: http://www.nytimes.com/ “The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times. The paper’s motto, “All the News That’s Fit to Print”, appears in the upper left-hand corner of the front page.“ (Wikipedia) (1) Vulnerability Description: The New York Times has a computer cyber security problem. Hacker can exploit its users by XSS bugs. The code program flaw occurs at New York Times’s URLs. Nytimes (short for New York Times) uses part of the URLs to construct its pages. However, it seems that Nytimes does not filter the content used for the construction at all before 2013. Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All pages of articles). In fact, all article pages that contain “PRINT” button, “SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected. Nytimes changed this mechanism since 2013. It decodes the URLs sent to its server. This makes the mechanism much safer now. However, all URLs before 2013 are still using the old mechanism. This means almost all article pages before 2013 are still vulnerable to XSS attacks. I guess the reason Nytimes does not filter URLs before is cost. It costs too much (money & human capital) to change the database of all posted articles before.

CVE-2014-8753  Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Instruction Details:

(1) Vendor & Product Description:

Vendor:

Cit-e-Net

Product & Version:

Cit-e-Access

Version 6

Vendor URL & Download:

Cit-e-Net can be downloaded from here, https://www.cit-e.net/citeadmin/help/cntrainingmanualhowto.pdf http://demo.cit-e.net/ http://www.cit-e.net/demorequest.cfm http://demo.cit-e.net/Cit-e-Access/ServReq/?TID=1&TPID=17

Product Introduction:

“We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.

Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It’s your choice! Please contact us at [email protected] to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services.

Interactive Applications

Online Service Requests

Online Tax Payments by ACH electronic-check or credit card.

Online Utility Payments by  ACH electronic-check or credit card.

Online General-Payments by ACH electronic-check or credit card.

Submit Volunteer Resume’s Online for the municipality to match your skills with available openings.”

(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities and cyber intelligence.

(2.1) The first programming code flaw occurs at “/eventscalendar/index.cfm?” page with “&DID” parameter in HTTP GET.

(2.2) The second programming code flaw occurs at “/search/index.cfm?” page with “&keyword” parameter in HTTP POST.

(2.3) The third programming code flaw occurs at “/news/index.cfm” page with “&jump2” “&DID” parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at “eventscalendar?” page with “&TPID” parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at “/meetings/index.cfm?” page with “&DID” parameter in HTTP GET.

(3) Solutions:

Leave message to vendor. No response. http://www.cit-e.net/contact.cfm

About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Web Security Vulnerabilities

Vulnerability Description: About.com all “topic sites” are vulnerable to XSS (Cross-Site Scripting) and Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some about.com main pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to XSS and Iframe Injection attacks. In fact, for about.com’s structure, the main domain is something just like a cover. So, very few links belong to them.

Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.

For the Iframe Injection vulnerability. They can be used to do DDOS (Distributed Denial-of-Service Attack) to other websites, too. Here is one example of DDOS based on Iframe Injection attacks of others. http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

In the last, some “Open Redirect” vulnerabilities related to about.com are introduced. There may be large number of other Open Redirect Vulnerabilities not detected. Since About.com are trusted by some the other websites. Those vulnerabilities can be used to do “Covert Redirect” to these websites.

Vulnerability Disclosure: Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.

Vulnerability Discover: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@Justqdjing) http://www.tetraph.com/wangjing

(1) Some Basic Background

(1.1) Domain Description: http://www.about.com/ http://www.alexa.com/siteinfo/about.com

“For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month.” (The New York Times)

“About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its “topic sites,” of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation, and, for March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month. As of August 2012, About.com is the property of IAC, owner of Ask.com and numerous other online brands, and its revenue is generated by advertising.“ (Wikipedia)

"As of May 2013, About.com was receiving about 84 million unique monthly visitors.” (TechCrunch. AOL Inc.)

“According to About’s online media kit, nearly 1,000 "Experts” (freelance writers) contribute to the site by writing on various topics, including healthcare and travel.“ (About.com)

(1.2) Topics Related to About.com

"The Revolutionary About.com Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information.” (azlist.about.com)

About.com - Sites A to Z

Number of Topics

A: 66

B: 61

C: 118

D: 49

E: 33

F: 57

G: 39

H: 48

I: 32

J: 15

K: 13

L: 36

M: 70

N: 26

O: 23

P: 91

Q: 4

R: 32

S: 104

T: 47

U: 12

V: 9

W: 43

X: 1

Y: 4

Z: 1

SUM: 1039

Reference: azlist.about.com/

In fact, those are not all topics of about.com. Some of the topics are not listed here such as, http://specialchildren.about.com

So, there are more than 1000 topics related to about.com.

(1.3) Result of Exploiting XSS Attacks XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results:

  "Identity theft

  Accessing sensitive or restricted information

  Gaining free access to otherwise paid for content

  Spying on user’s web browsing habits

  Altering browser functionality

  Public defamation of an individual or corporation

  Web application defacement

  Denial of Service attacks (DOS)

“ (Acunetix)

… …

More: http://seclists.org/fulldisclosure/2015/Feb/9

Domain: cnn.com

“The Cable News Network (CNN) is an American basic cable and satellite television channel that is owned by the Turner Broadcasting System division of Time Warner. The 24-hour cable news channel was founded in 1980 by American media proprietor Ted Turner. Upon its launch, CNN was the first television channel to provide 24-hour news coverage, and was the first all-news television channel in the United States. While the news channel has numerous affiliates, CNN primarily broadcasts from the Time Warner Center in New York City, and studios in Washington, D.C. and Los Angeles, its headquarters at the CNN Center in Atlanta is only used for weekend programming. CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories. As of February 2015, CNN is available to approximately 96,289,000 cable, satellite and, telco television households (82.7% of households with at least one television set) in the United States.” (Wikipedia)

Discovered and Reported by: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.  (@justqdjing) http://www.tetraph.com/wangjing/

Vulnerability Description: CNN has a cyber security bug problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect (Unvalidated Redirects and Forwards) attacks.

Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities. According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN. After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN’s website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007.

<1> There are some tweets complaining about hacked with links from CNN.

At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.

Yahoo Open Redirects Vulnerabilities: http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html

<2> CNN.com XSS hacked http://seclists.org/fulldisclosure/2007/Aug/216

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. © Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.

Detail: http://seclists.org/fulldisclosure/2014/Dec/128

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities

Domain: http://espn.go.com/

“ESPN (originally an acronym for Entertainment and Sports Programming Network) is a U.S.-based global cable and satellite television channel that is owned by ESPN Inc., a joint venture between The Walt Disney Company (which operates the network, through its 80% controlling ownership interest) and Hearst Corporation (which holds the remaining 20% interest). The channel focuses on sports-related programming including live and recorded event telecasts, sports news and talk shows, and other original programming.

ESPN broadcasts primarily from studio facilities located in Bristol, Connecticut. The network also operates offices in Miami, New York City, Seattle, Charlotte, and Los Angeles. John Skipper currently serves as president of ESPN, a position he has held since January 1, 2012. While ESPN is one of the most successful sports networks, it has been subject to criticism, which includes accusations of biased coverage, conflict of interest, and controversies with individual broadcasters and analysts. ESPN headquarters in Bristol, Connecticut. As of February 2015, ESPN is available to approximately 94,396,000 paid television households (81.1% of households with at least one television set) in the United States. In addition to the flagship channel and its seven related channels in the United States, ESPN broadcasts in more than 200 countries, operating regional channels in Australia, Brazil, Latin America and the United Kingdom, and owning a 20% interest in The Sports Network (TSN) as well as its five sister networks and NHL Network in Canada.”(Wikipedia)

Vulnerability description: Espn.go.com has a cyber security bug problem. It is vulnerable to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open Redirect) attacks.

Those vulnerabilities are very dangerous. Since they happen at ESPN’s “login” & “register” pages that are credible. Attackers can abuse those links to mislead ESPN’s users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN’s links are vulnerable to those attacks.

The programming code flaw occurs at “espn.go.com”’s “login?” & “register” pages with “redirect” parameter, i.e.

http://streak.espn.go.com/en/login?redirect=

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com

http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=

https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/

Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8.

Disclosed by: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.  (@justqdjing) http://www.tetraph.com/wangjing/

“The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and Open Redirect vulnerabilities and cyber intelligence recommendations.

(1) XSS Web Security Vulnerability XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

Identity theft

Accessing sensitive or restricted information

Gaining free access to otherwise paid for content

Spying on user’s web browsing habits

Altering browser functionality

Public defamation of an individual or corporation

Web application defacement

Denial of Service attacks

Detail: http://seclists.org/fulldisclosure/2014/Dec/36

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

Though Yahoo lists open redirect vulnerability on its bug bounty program. However, it seems Yahoo do not take this vulnerability seriously at all.

Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “It is working as designed”. However, these vulnerabilities were patched later.

Several other security researcher complained about getting similar treatment, too. http://seclists.org/fulldisclosure/2014/Jan/51 http://seclists.org/fulldisclosure/2014/Feb/119

All Open Redirect Vulnerabilities are intended behavior? If so, why patch them later?

From report of CNET, Yahoo’s users were attacked by redirection vulnerabilities. “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ”

Moreover, since Yahoo is well-known worldwide. these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Alibaba, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security bug problems have not been patched. Other similar web and computer flaws will be published in the near future.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.

Disclosed by: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing) http://www.tetraph.com/wangjing

Both Yahoo and Yahoo Japan online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. © Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

Detail: http://seclists.org/fulldisclosure/2014/Dec/88