Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: tb10142.htm

Widespread vulnerabilities in Libero.it/Infostrada.it web portals



Widespread vulnerabilities in Libero.it/Infostrada.it web portals
Widespread vulnerabilities in Libero.it/Infostrada.it web portals



<--start-->
Following the advisory of the XSS vulnerability found on Libero.it  (italian ISP) portal, 
and after the "official" response given by the portal owners which stated that in no way user accounts would be at risk, 
several other XSS vulns have been found on Libero.it/Infostrada.it portals (both are from the same provider, different names for historical reasons). 

The current post has the only aim to demonstrate that the previous vulns are not occasional and a hardening in Libero/infostrada portals application security is really urgent 
is required in order to preserve and protect users privacy.


First Vulnerability 
------------------

This PoC widely demonstrate how an attacker can use another XSS vuln + a lack of access control on private Libero.it Community  
pages for organize a phishing attack.

Step 1. On the community pages is possible, for Libero users to create a personal blog; 
this blog can be administred through some admin private pages while the published blog pages are fro public use. 
The page:

http://blog.libero.it/XSS/aux_messaggio.php? 
is a private admin page used  to alert for possible errors encoutered during the publication of a blog page. 

The page is XSS vulnerable:
 
http://blog.libero.it/XSS/aux_messaggio.php?msg= 


Step 2.  The attacker sends a link to the victim (e.g. inviting him to have a look at a content of his personal community space). 
The link is so made:

http://blog.libero.it/XSS/login.php?rest=1&loginbox=login_riservato&from=http%3A%2F%2Fblog.libero.it%2FXSS%2Faux_messaggio.php%3Fmsg%3D%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26nocache%3D1175124994 

this links uses a second vuln of the portal that lacks of access control to private pages (a normal user should not can access to an admin page of my blog) to redirect the user to the XSS page.

Step 3. The javascript embedded in the URL:
- reads the cookie of the user
- sends it to the attacker phishing site
- redirect the request to the phishin site

Step 4. The phishing site present the Libero login form, pretending the password typed is not correct.

As the redirect comes from a REAL Libero,it AUTH page the secnario is extremely realistic.....




Second Vunerability
-----------------------

Same XSS problems are present in www.infostrada.it servers, with a 
serious XSS vulnerability exploitable in a page used for subscribe to
the service:

 
pref=02&tel=%3Cscript%3Ealert(%22a%22)%3C/script%3E&offer=HI>

The parameter "tel=" for the phone number is unchecked for ANY script.
Wrong, wrong, wrong, wrong. :)




Third vulnerability
----------------------

Problems in Libero are not, though,  limited to JS and XSS scripts for
Phishing purpose.
Infostrada.it servers  are prone
to SQL errors for unchecked values:

 

Errors reported are prone to information leaking about Environment.
Take these lines for
example:

> PLSQL_GATEWAY=WebDb
> GATEWAY_IVERSION=2
> SERVER_SOFTWARE=Oracle HTTP Server Powered by Apache/1.3.12 (Unix) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24
> GATEWAY_INTERFACE=CGI/1.1
> SERVER_PORT=80

Same SQL problem is present in <155.libero.it> eg:

 


Fourth vulnerability
----------------------
The domain 155.libero.it allows customers of Wind (a fixed and mobile
telecom Italian operator) to manage their own telephone lines.

During the authentication session attention was given only to the
security of the data transfer (HTTPS), but the security of the
application itlself was neglected.

Submitting the login the form, all data are sent to a page which
performs a first validation. This page creates a form with the data
needed for the authentication, without validating the data themselves
though.
Usually, the entered username gets checked by the system, leaving the
password to itself, for what concerns both the length and the contents.

Therefore, it is possibile to inject, through the "password" field
JavaScript code to create the XSS.

A PoC of the URL is as follows:
https://libero.it/pls/portal30/w155.pkg_authentication.Login_url?p_requested_url=/pls/portal30/w155.home&site2pstoretoken=&ssousername=anyrandomname&password=">
http://www.matteoflora.com Matteo Carli (fourth vuln) matteo at matteocarli dot com http://www.matteocarli.com <--end-->


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH