All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks 

(1) Domain Description:

http://www.indiatimes.com

"The Times of India (TOI) is an Indian English-language daily newspaper. It is the third-largest newspaper in India by circulation and largest selling English-language daily in the world according to Audit Bureau of Circulations (India). According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership. It is owned and published by Bennett, Coleman & Co. Ltd. which is owned by the Sahu Jain family. In the Brand Trust Report 2012, Times of India was ranked 88th among India's most trusted brands and subsequently, according to the Brand Trust Report 2013, Times of India was ranked 100th among India's most trusted brands. In 2014 however, Times of India was ranked 174th among India's most trusted brands according to the Brand Trust Report 2014, a study conducted by Trust Research Advisory." (en.Wikipedia.org)

(2) Vulnerability description:

The web application indiatimes.com online website has a security problem. Hacker can exploit it by XSS bugs.

The code flaw occurs at Indiatimes's URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes's "photogallery" and "top-llists" topics are affected. 

Indiatimes uses part of the links under "photogallery" and "top-llists" topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (12.04) and Microsoft IE (9.0.15) in Windows 7.

POC Codes:

http://www.indiatimes.com/photogallery/">homeqingdao<img src=x onerror=prompt('justqdjing')>

http://www.indiatimes.com/top-lists/">singaporemanagementuniversity<img src=x onerror=prompt('justqdjing')>

http://www.indiatimes.com/photogallery/lifestyle/">astar<img src=x onerror=prompt('justqdjing')>

http://www.indiatimes.com/top-lists/technology/">nationaluniversityofsingapore<img src=x onerror=prompt('justqdjing')>

POC Video:

https://www.youtube.com/watch?v=EeJWu8_5BKU&feature=youtu.be

Blog Details:

http://securityrelated.blogspot.com/2014/11/two-topics-of-indiatimes-indiatimescom.html

What is XSS?

"Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." (OWASP)

(3) Vulnerability Disclosure:

The vulnerabilities were reported to Indiatimes in early September, 2014. However they are still unpatched.

Discovered and Reported by:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://www.tetraph.com/wangjing/

Related Articles:

http://seclists.org/fulldisclosure/2014/Nov/91

http://lists.openwall.net/full-disclosure/2014/11/27/6

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1256

https://progressive-comp.com/?l=full-disclosure&m=141705615327961&w=1

http://tetraph.blog.163.com/blog/static/234603051201501352218524/

http://www.techworm.net/2014/12/times-india-website-vulnerable-xss

https://cxsecurity.com/issue/WLB-2014120004

https://vulnerabilitypost.wordpress.com/2014/12/04/indiatimes-xss

http://diebiyi.com/articles/security/all-links-in-two-topics-of-indiatimes

http://www.inzeed.com/kaleidoscope/computer-security/all-links-in-two-topics-of-indiatimes

http://itsecurity.lofter.com/post/1cfbf9e7_54fc6c9

http://computerobsess.blogspot.com/2014/12/all-links-in-two-topics-of-indiatimes.html

http://whitehatview.tumblr.com/post/104310651681/times-of-india-website-vulnerable-to

http://www.tetraph.com/blog/computer-security/all-links-in-two-topics-of-indiatimes

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

Domain Description:

http://www.weather.com/

"The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather.  Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather."

"As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives." (Wikipedia)

Vulnerability description:

The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.

Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel's URLs. Then the scripts will be executed.

10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.

The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes. 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

POC Codes, e.g.

http://www.weather.com/slideshows/main/"--/>"><img src=x onerror=prompt('justqdjing')>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22--/"--/>"><img src=x onerror=prompt('justqdjing')>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/"><img src=x onerror=prompt('justqdjing')>

POC Video:

https://www.youtube.com/watch?v=Ij78WnzKB4M&feature=youtu.be

Blog Details:

http://securityrelated.blogspot.com/2014/11/the-weather-channel-weather.html

The Weather Channel has patched this Vulnerability in late November, 2014 (last Week).  "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.

Discovered by:

Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://www.tetraph.com/wangjing

More Details:

http://seclists.org/fulldisclosure/2014/Nov/89

http://lists.openwall.net/full-disclosure/2014/11/27/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1253

https://progressive-comp.com/?l=full-disclosure&m=141705578527909&w=1

http://whitehatview.tumblr.com/post/104313615841/the-weather-channel-flaw

http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-exploit

http://diebiyi.com/articles/security/the-weather-channel-bug

http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8

https://vulnerabilitypost.wordpress.com/2014/12/04/the-weather-channel-flaw

http://tetraph.blog.163.com/blog/static/234603051201411475314523/

http://tetraph.blogspot.com/2014/12/the-weather-channel-xss.html

http://ithut.tumblr.com/post/121916595448/weather-channel-xss

https://mathfas.wordpress.com/2014/12/04/the-weather-channel-weather-bug

http://computerobsess.blogspot.com/2014/12/the-weather-channel-xss.html

http://www.tetraph.com/blog/xss-vulnerability/the-weather-channel-bug

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

Domain: getpocket.com

"Pocket was founded in 2007 by Nate Weiner to help people save interesting articles, videos and more from the web for later enjoyment. Once saved to Pocket, the list of content is visible on any device — phone, tablet or computer. It can be viewed while waiting in line, on the couch, during commutes or travel — even offline. The world's leading save-for-later service currently has more than 17 million registered users and is integrated into more than 1500 apps including Flipboard, Twitter and Zite. It is available for major devices and platforms including iPad, iPhone, Android, Mac, Kindle Fire, Kobo, Google Chrome, Safari, Firefox, Opera and Windows." (From: https://getpocket.com/about)

Vulnerability Description:

Pocket has a computer cyber security bug problem. Hacker can exploit it by CSRF attacks.

 "Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application." (OWSAP)

Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Vulnerability Details:

The code programming flaw exists at "https://getpocket.com/edit/edit" page, i.e.https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

Vulnerable URL:

https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

Use a website created by me for the following tests. The website is "http://itinfotech.tumblr.com/". Suppose that this website is malicious. If it contains the following link, attackers can post any message as they like.

<a href="https://getpocket.com/edit?url=http%3A%2F%2Fmake.wordpress.org%2Fcore%2F2014%2F01%2F15%2Fgit-mirrors-for-wordpress&title=csrf test">getpocket csrf test</a> [1]

When a logged victim clicks the link ([1]), a new item will be successfully saved to his/her "Pocket" without his/her notice. An attack happens.

Poc Video:http://www.youtube.com/watch?v=Kg743VboyoU&feature=youtu.be

Blog Detail:

https://webtechwire.wordpress.com/2014/04/29/getpocket-csrf/

http://www.tetraph.com/blog/csrf-vulnerability/getpocket-csrf-vulnerability/

http://computerobsess.blogspot.com/2014/10/getpocket-csrf-vulnerability.html

http://tetraph.blog.163.com/blog/static/23460305120143201422975/

Discover and Reporter:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://www.tetraph.com/wangjing

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

CVE-2014-8753  Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Instruction Details:

(1) Vendor & Product Description:

Vendor:

Cit-e-Net

Product & Version: 

Cit-e-Access

Version 6

Vendor URL & Download: 

Cit-e-Net can be downloaded from here,

https://www.cit-e.net/citeadmin/help/cntrainingmanualhowto.pdf

http://demo.cit-e.net/

http://www.cit-e.net/demorequest.cfm

http://demo.cit-e.net/Cit-e-Access/ServReq/?TID=1&TPID=17

Product Introduction:

"We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.

Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It's your choice! Please contact us at info@cit-e.net to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services. 

Interactive Applications

Online Service Requests

Online Tax Payments by ACH electronic-check or credit card.

Online Utility Payments by  ACH electronic-check or credit card.

Online General-Payments by ACH electronic-check or credit card.

Submit Volunteer Resume's Online for the municipality to match your skills with available openings."

(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities and cyber intelligence.

(2.1) The first programming code flaw occurs at "/eventscalendar/index.cfm?" page with "&DID" parameter in HTTP GET.

(2.2) The second programming code flaw occurs at "/search/index.cfm?" page with "&keyword" parameter in HTTP POST.

(2.3) The third programming code flaw occurs at "/news/index.cfm" page with "&jump2" "&DID" parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at "eventscalendar?" page with "&TPID" parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at "/meetings/index.cfm?" page with "&DID" parameter in HTTP GET.

(3) Solutions:

Leave message to vendor. No response.

http://www.cit-e.net/contact.cfm

References:

http://seclists.org/fulldisclosure/2015/Feb/48

http://lists.openwall.net/full-disclosure/2015/02/13/2

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1587

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01683.html

https://computerpitch.wordpress.com/2015/06/07/cve-2014-8753/

http://webtechhut.blogspot.com/2015/06/cve-2014-8753.html

https://www.facebook.com/websecuritiesnews/posts/804176613035844

https://twitter.com/tetraphibious/status/607381197077946368

http://biboying.lofter.com/post/1cc9f4f5_7356826

http://shellmantis.tumblr.com/post/120903342496/securitypost-cve-2014-8753

http://itprompt.blogspot.com/2015/06/cve-2014-8753.html

http://whitehatpost.blog.163.com/blog/static/24223205420155710559404/

https://plus.google.com/u/0/113115469311022848114/posts/FomMK9BGGx2

https://www.facebook.com/pcwebsecurities/posts/702290949916825

http://securitypost.tumblr.com/post/120903225352/cve-2014-8753-cit-e-net

http://webtech.lofter.com/post/1cd3e0d3_7355910

http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/

http://diebiyi.com/articles/security/cve-2014-8753/