Security Advisory: Banks in Taiwan

[militan c7 <militan.c7 () gmail com>]

==============================================
Security Advisory: Banks in Taiwan

militan (Lin, Chia-Jun)
militan.c7 [at] gmail.com
Advanced Defense Lab, NCU CSIE TAIWAN
12th February, 2009
==============================================


I. VULNERABILITY
-------------------------
Blind Command(SQL, LDAP) Injection
Information Leakage

Banks below are vulnerable:
Union bank of Taiwan. www.ubot.com.tw
SinoPac Securities. www.sinotrade.com.tw
prudential uk in Taiwan. www.pcafunds.com.tw


II. DESCRIPTION
-------------------------
Some banks or fund companies contain vulnerabilities while handling account
information,
it may cause information leakage.

Usually the input is sanitized indeed, but some specific pages do not
perform the validation properly.
Otherwise, sometimes error messages also show the architecture of web sites.


III. POC
-------------------------
1. Union bank: may be susceptible to blind injection.
http://adl.csie.ncu.edu.tw/~militan/Ubot1.jpg
http://adl.csie.ncu.edu.tw/~militan/Ubot2.jpg

2. prudential uk in Taiwan: Get information first(JNDI LDAP), then do the
LDAP injection.
http://adl.csie.ncu.edu.tw/~militan/PCAFunds1.jpg
http://adl.csie.ncu.edu.tw/~militan/PCAFunds2.jpg
http://adl.csie.ncu.edu.tw/~militan/PCAFunds3.jpg

3. SinoPac Securities: The page re-generates the password in Javascript.
It`s not a vulnerability, but a insecure behavior in programming.
http://adl.csie.ncu.edu.tw/~militan/SinoTrade.JPG


IV. SOLUTION& CONCLUSION
-------------------------
Strip all symbols in ANY input variable.
This advisory prove that sites of banks are not secure enough.
Vulnerabilities may be fixed up in a very short time because details were
sent to them already.


regards
--
militan
Advanced Defense Lab

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/