Geonick Social Network Clickjacking / Credential Disclosure

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044505 漏洞类型
发布时间 2013-08-30 更新时间 2013-08-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013080238
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
GEONICK SOCIAL-NETWORK Insecure crossdomain.xml file / Clickjacking: X-Frame-Options header missing / User credentials are sent in clear text

Time-Line Vulnerability
***********************

Multiple Advisories but NOT RESPONSE

Then

Full Disclosure

I-VULNERABILITY
-------------------------

#Title: GEONICK SOCIAL-NETWORK Insecure crossdomain.xml file / Clickjacking: X-Frame-Options header missing / User credentials are sent in clear text/

#Vendor:http://geonick.com

#Author:Juan Carlos Garca (@secnight)

#Follow me 

 http://www.highsec.es
 http://hackingmadrid.blogspot.com
Twitter:@secnight



II-Introduction:
================
Geonick is a Spanish social network and a search engine that lets you find people around you or far corners that share your interests,
hobbies and interests.

Geonick is a free social network that offers an option some advanced features and payment.

Literal : ""Because we believe in the Internet, in social relations, information sharing and the exchange of messages
but we believe that all this can be based on respect for the individual, his privacy."



====================
III-PROOF OF CONCEPT
====================


Attack details
--------------

Insecure crossdomain.xml file
******************************

The browser security model normally prevents web content from one domain from accessing data from another domain.
This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data.
They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory
of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml). 

When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers
in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website
opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) like so: 

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit
access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies.
Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially
careful when using cross-domain policy files.


Attack details
--------------
The crossdomain.xml file is located at /crossdomain.xml (2)

GET /crossdomain.xml HTTP/1.1
Host: geonick.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Response

HTTP/1.1 200 OK

Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough
/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.35 mod_fcgid/2.3.6
Last-Modified: Tue, 18 Oct 2011 19:37:56 GMT

ETag: "620d41-60-4af97dc318d00"

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>



Clickjacking: X-Frame-Options header missing(2)
***********************************************

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) 
is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they 
are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking 
on seemingly innocuous web pages. 

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page
in a <frame> or <iframe>.
Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. 

The impact of this vulnerability

The impact depends on the affected web application. 

How to fix this vulnerability

Configure your web server to include an X-Frame-Options header.


User credentials are sent in clear text
*****************************************
User credentials are transmitted over an unencrypted channel.
This information should always be transferred via an encrypted channel (HTTPS)
to avoid being intercepted by malicious users.

Affected items

/ 
/join.php (8dc38e7512b6a37942d44d069e27a3c8) 
/join.php (d8028533028fdeb45b1cce8901809db6) 
/join.php/user=tourist 
/member.php (975a4a1b7430a0d8d05b765506281cce) 
/member.php (f15bbaf05a65fce70291e7e91f71abea) 

The impact of this vulnerability

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability

Because user credentials are considered sensitive information, should always be transferred to the server
over an encrypted connection (HTTPS).



IV. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos Garca(@secnight)


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.