Hackers infect Pentagon admin by exploiting XSS vulnerability

Recently, EHN received a news report from Tunisian Cyber Army and Al Qaida Electronic Army in which the hackers claimed to have infected the Pentagon administrator, as part of their on going operation called "#opBlackSummer".

The attack was happened after hackers identified a reflected cross site scripting(XSS) vulnerability in one of the sub domain of Pentagon (g1arng.army.pentagon.mil).

POC:
g1arng.army.pentagon.mil/Programs/Pages/Default.aspx?Category="><script>alert("xss by tca and AQECA on pentagon")</script>

xss vulnerability

The hacker managed to exploit this vulnerability for sending malicious payload to the admin of Pentagon. Hackers claims that they got success in infecting them.

Hackers said they compromised  some important file and steal cookies from the pentagon mail. The security breach was done with collaboration with Chinese hackers.

At the time of writing, the vulnerability is not fixed. If the TCA claim is true, then this one will be the best example that demonstrate the severity of simple reflected xss. Yesterday, i have sent notification to Pentagon team about the vulnerability but there is no response from them.

In another mail, the team said the have hacked the state.gov with SQL injection vulnerability. 

Reflected Cross site scripting vulnerability in MTS Mobile website


An Information Security Expert Narendra Bhati, from Sheoganj, India has discovered Reflected Cross site scripting vulnerability in the official website of MTS website(mtsindia.com).

MTS group is an Indian mobile network operator headquartered in New Delhi, that provides wireless voice, messaging and data services in India.

The vulnerability exists in the Search field  of the website.  Injecting the xss code in the Search box will execute successfully the injected code.

For instance, injecting the following code in the search box will display the alert box:

    "><script>alert("E Hacking News")</script>
Narendra also found that the field allows user to run the iframe code also.  So , possibly, a hacker can inject phishing page to scam innocent visitors.

    "/><iframe src="http://www.google.com" width=1000 height=1000></iframe>

Reflected XSS Vulnerability in Adobe website

A Security Researcher Ankit Bharathan (aka lonely-hacker) has discovered a Non-persistent Cross site scripting vulnerability in Adobe website.

The vulnerability resides in one of the adobe sub domain "dbln-speedtest.adobe.com"

The POC for the vulnerability:
http://dbln-speedtest.adobe.com/index.php?lang="><SCRIPT>alert("E Hacking News")</SCRIPT>
The Researcher claim to have discovered a path disclosure vulnerability in the same link and have 90+ open directory in Adobe.

Ankit notified Adobe about the vulnerability but they failed to respond for his mail. 

Vulnerabilities in Adobe




Reflected XSS vulnerability affects Millions of sites hosted in HostMonster

Recently, We reported about the Reflected Cross Site scripting vulnerability in the HostGator India hosting site that affects millions of hosted sites. Today, Another Indian Security Researcher , Ramneek Sidhu , come with another interesting find.

Ramneek Sidhu has discovered Reflected XSS Vulnerability in One of the Biggest WebHosting site "HostMonster" (hostmonster.com). Just like in the previous case, this Vulnerability affects all sites hosted in the HostMonster.



The vulnerability discovered in Subdomain of Hostmonster:
http://host104.hostmonster.com/"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src="http://i49.tinypic.com/1zq7cyp.jpg /" />
The vulnerability was reported to Aarshit Mittal by the Security Researcher.  Aarshit started to analyze the vulnerability and find few more interesting things. He discovered that each and every websites hosted in the Hostmonster vulnerable to Reflected XSS.

Find the list of sites hosted in Hostmonster.  You can do this by searching for "Ip:ip:74.220.207.104" in Bing.  This single IP search gives 36,000 results.  All of those sites are affected by this security flaw.  For instance, let us take "vividhbharti.com".

The POC for this site is:
http://vividhbharti.com/"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src="http://i49.tinypic.com/1zq7cyp.jpg /" />
At EHN, i have just Analyzed the affected sites to know what cause this security flaw. It seems like this flaw occured when the developer try to display the ads in the 404 not found page.


There is a javascript code that generate ads.  Interestingly, the code uses referrer . The referrer is the current address.  Unfortunately, the developers fails to sanitize the url. This results in Reflected XSS.

Reflected-XSS Vulnerability in Change.org

A Security Researcher Adwiteeya Agrawal has discovered Non-persistent Cross site scripting(XSS) Security flaw in the Change.org.

Change.org is the web's leading platform for social change, empowering anyone, anywhere to start petitions that make a difference.


The vulnerability has been discovered in the Simple Search Form used in the website. The developer fails to validate the search keyword given by the user.

POC:
 https://www.change.org/search?utf8=✓&q=<script>alert("XSS By Adwiteeya Agrawal")</script>


Reflected XSS in Vulnerability-Lab site(vulnerability-lab.com)


The Inj3ct0r team has found Reflected Cross Site scripting(XSS) vulnerability in the official website of Vulnerability-Lab.

The subdomain of Vulnerability Lab (video.vulnerability-lab.com/) that host video demo of exploits, has been found to be vulnerable to the non-persistent XSS security flaw.


vulnerability lab xss


The inj3ct0r team provided us the POC for the vulnerability :
173.0.61.44/video/?s="><script>alert("Inj3ct0r Team found Xss on vulnerability-lab")</script>&x=7&y=8
The above code will display a popup with the text "Inj3ct0r Team found Xss on vulnerability-lab".  At first the URL confused me, it points to some other IP.

 But I visit "video.vulnerability-lab.com" website and verified the security flaw by entering the script .  It seems like the result is being loaded from the above mentioned IP address.


"We know already about the issue 3 week ago."The vulnerability Lab team has responded. "The issue is not exploitable ... its fake because the issue is located in the website were no login is in use even if it is wordpress."

"The module and the video blog itself was secured ... only the update made the vulnerable module back available."