Tags

, , , , ,

stock-footage-blue-binary-tunnel-that-suggests-computer-data-flow-communication-concept

 

MailChimp, Olark, Kaneva online websites have computer cyber security bug problems. They can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)

 


(1) MailChimp’s Login Page Open Redirect Vulnerability





Poc Video:
The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]




When a user clicks the URL ([1]) before login, the MailChimp “login page” appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage different from MailChimp.





(1.1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/essayjeans/poems/thatday.html”. We can suppose that this webpage is malicious.













(2) Olark Open Redirect Vulnerability











(2.1)Use one of webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.
















(3) Kaneva Sign-in Page Open Redirect Vulnerability


The vulnerability exists at “loginSecure.aspx” page with “logretURLNH” parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]




When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.




Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.




(3.1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/essaybeans/“. Can suppose that this webpage is malicious.











The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks. These bugs were found by using URFDS.

 

 

 


Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)





Source:
Advertisements