Vulners
Lucene search
Zoho Information Disclosure / Mixed Content
🗓️ 15 Jul 2013 00:00:00Reported by Juan Carlos GarciaType 
packetstorm🔗 packetstormsecurity.com👁 31 Views
`ZOHO INTERNAL INFORMATION DISCLOSURE Content type is not specified /INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM
==================================================================================================================================================
Report-Timeline:
================
2013-07-01: Researcher Notification
2013-07-02: RESPONSE
2013-07-05: Ask About the issues
2013-07-06: Vendor Feedback
2013-07-10: Not Fixed
2013-07-12: Full Disclosure
I-VULNERABILITIES
======================
#Title:ZOHO INTERNAL INFORMATION DISCLOSURE -Content type is not specified / INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM
#Vendor:httpS://www.zoho.com
#Author:Juan Carlos García (@secnight)
#Follow me
http://www.highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight
II-Introduction:
======================
1-To date, Zoho.com has launched 25+ online applications — from CRM to Mail, Office Suite, Project Management, Invoicing, Web conferencing and more.
Zoho has received numerous awards, including an InfoWorld 2009 "Product of the Year" award, a 2008 PC World "25 Most Innovative Products Award"
and a 2007 TechCrunch "Best Enterprise Start-up."
Zoho uses an open application programming interface for its Writer, Sheet, Show, Creator, Meeting, and Planner products.
It also has plugins into Microsoft Word and Excel, an OpenOffice.org plugin, and a plugin for Firefox.
More than 8 Million users Work Online with Zoho
2-Components
2.1 Zoho Writer
2.2 Zoho Sheet
2.3 Zoho Reports
2.4 Zoho Show
2.5 Zoho Projects
2.6 Zoho BugTracker
2.7 Zoho CRM
2.8 Zoho Invoice
2.9 Zoho Creator
2.10 Zoho Wiki
2.11 Zoho Discussions
2.12 Zoho Planner
2.13 Zoho Notebook
2.14 Zoho Chat
2.15 Zoho Mail
2.16 Zoho Meeting
2.17 Zoho People
2.18 Zoho Books
2.19 Zoho Docs
III-PROOF OF CONCEPT
======================
INTERNAL INFORMATION DISCLOSURE -Content type is not specified-
==============================================================
This page doesn't set a Content-Type header value. This value informs the browser what kind of data to expect. If this header is missing, the browser may incorrectly handle the data. This could lead to security problems.
This vulnerability affects
/creator/help/images/contacts.ds.
/* * Author : latha * Generated on : 02-Nov-2012 14:53:52 * Version : 3.0 */ application "Contacts" { allow html = true date format = "dd-MMMM-yyyy" time zone = "America/Los_Angeles" section Home { form Contacts_Form { displayname = "Contacts Form" captcha = true success message = "Data Added Successfully!" field alignment = left column { EmpName ( type = text tooltip = "Web application" width = 200px ) Number_1 ( displayname = "Number 1" type = number maxchar = 2 width = 100px ) Email_ID ( displayname = "Email ID" type = email tooltip = "Web application" width = 200px ) Contact ( type = decimal maxchar = 99 tooltip = "Web application" width = 100px ) DOB ( type = date tooltip = "Web application" width = 130px ) Country ( type = text tooltip = "Web application" width = 200px ) } column { Currency_1 ( displayname = "Currency 1" type = USD maxchar = 2 width = 100px ) } actions { on add { Submit ( type = submit displayname = "Submit" ) Reset ( type = reset displayname = "Reset" ) } on edit { Update ( type = submit displayname = "Update" ) Cancel ( type = cancel displayname = "Cancel" ) } } } list Contacts_Form_View { displayname = "Contacts Form View" show all rows from Contacts_Form ( EmpName as "Name" Email_ID as "Email ID" Contact, display total DOB Country Number_1 as "Number 1" Currency_1 as "Currency 1" ) filters ( DOB ) } } }
creator/help/images/ical-feed1.ds.
BEGIN:VCALENDAR PRODID:-//ZOHO Creator//iCal Feed//EN VERSION:2.0 CALSCALE:GREGORIAN X-WR-TIMEZONE:UTC X-WR-CALNAME:ICal_View BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:My B`day DTEND;VALUE=DATE:20120417 ORGANIZER;CN=Test 2: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120417 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226173/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Meet test DTEND;VALUE=DATE:20120218 ORGANIZER;CN=Test 1: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120215 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226169/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Rozden Den DTEND:20100429T055909 ORGANIZER;CN=Tatka: LOCATION:Aprilovo STATUS:confirmed DTSTART:20100428T205905 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243011/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Summ DTEND;VALUE=DATE:20100426 ORGANIZER;CN=Hristo: LOCATION:Btv STATUS:tentative DTSTART;VALUE=DATE:20100426 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000001243007/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:No summary DTEND:20100426T144354 ORGANIZER;CN=Stefan Stoychev: LOCATION:Here STATUS:tentative DTSTART:20100425T204350 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243003/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Week end trip DTEND;VALUE=DATE:20090921 ORGANIZER;CN=Stephen: LOCATION:New york STATUS:confirmed DTSTART;VALUE=DATE:20090919 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000000601326/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Public sector meeting DTEND:20090910T143000 ORGANIZER;CN=John: LOCATION:US STATUS:confirmed DTSTART:20090910T113000 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000000601322/@zohocreator.com END:VEVENT END:VCALENDAR
/creator/help2/images/ical-feed1.ds.
BEGIN:VCALENDAR PRODID:-//ZOHO Creator//iCal Feed//EN VERSION:2.0 CALSCALE:GREGORIAN X-WR-TIMEZONE:UTC X-WR-CALNAME:ICal_View BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:My B`day DTEND;VALUE=DATE:20120417 ORGANIZER;CN=Test 2: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120417 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226173/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Meet test DTEND;VALUE=DATE:20120218 ORGANIZER;CN=Test 1: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120215 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226169/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Rozden Den DTEND:20100429T055909 ORGANIZER;CN=Tatka: LOCATION:Aprilovo STATUS:confirmed DTSTART:20100428T205905 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243011/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Summ DTEND;VALUE=DATE:20100426 ORGANIZER;CN=Hristo: LOCATION:Btv STATUS:tentative DTSTART;VALUE=DATE:20100426 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000001243007/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:No summary DTEND:20100426T144354 ORGANIZER;CN=Stefan Stoychev: LOCATION:Here STATUS:tentative DTSTART:20100425T204350 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243003/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Week end trip DTEND;VALUE=DATE:20090921 ORGANIZER;CN=Stephen: LOCATION:New york STATUS:confirmed DTSTART;VALUE=DATE:20090919 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000000601326/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Public sector meeting DTEND:20090910T143000 ORGANIZER;CN=John: LOCATION:US STATUS:confirmed DTSTART:20090910T113000 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000000601322/@zohocreator.com END:VEVENT END:VCALENDAR
/creator/help2/images/contacts.ds.
* * Author : latha * Generated on : 02-Nov-2012 14:53:52 * Version : 3.0 */ application "Contacts" { allow html = true date format = "dd-MMMM-yyyy" time zone = "America/Los_Angeles" section Home { form Contacts_Form { displayname = "Contacts Form" captcha = true success message = "Data Added Successfully!" field alignment = left column { EmpName ( type = text tooltip = "Web application" width = 200px ) Number_1 ( displayname = "Number 1" type = number maxchar = 2 width = 100px ) Email_ID ( displayname = "Email ID" type = email tooltip = "Web application" width = 200px ) Contact ( type = decimal maxchar = 99 tooltip = "Web application" width = 100px ) DOB ( type = date tooltip = "Web application" width = 130px ) Country ( type = text tooltip = "Web application" width = 200px ) } column { Currency_1 ( displayname = "Currency 1" type = USD maxchar = 2 width = 100px ) } actions { on add { Submit ( type = submit displayname = "Submit" ) Reset ( type = reset displayname = "Reset" ) } on edit { Update ( type = submit displayname = "Update" ) Cancel ( type = cancel displayname = "Cancel" ) } } } list Contacts_Form_View { displayname = "Contacts Form View" show all rows from Contacts_Form ( EmpName as "Name" Email_ID as "Email ID" Contact, display total DOB Country Number_1 as "Number 1" Currency_1 as "Currency 1" ) filters ( DOB ) } }
INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM
================================================
This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target.
(Too Many Affected Items ... )
Examples:
/announcements/blog/2009-webware-100-awards-vote-for-zoho.html
/announcements/blog/add-footnotes-endnotes-to-your-zoho-writer-documents.html
/announcements/blog/adventnet-inc-is-now-zoho-corporation.html
/announcements/blog/a-faster-way-to-file-bugs-in-bugtracker.html
/announcements/blog/a-million-toons-at-toondoo.html
/announcements/blog/annnouncing-zoho-business.html
/announcements/blog/announcement-zoho-forums-migration.html
/announcements/blog/announcing-the-do-it-yourself-dabble-db-migration-tool.html
/announcements/blog/announcing-zoho-discussions.html
/announcements/blog/announcing-zoholics-zoho-user-conference.html
/announcements/blog/announcing-zoho-meeting.html
/announcements/blog/announcing-zoho-notebook.html
/announcements/blog/announcing-zoho-pulse-a-private-social-network-for-your-business.html
/announcements/blog/announcing-zoho-show-20.html
/announcements/blog/announcing-zoho-support-web-based-help-desk-software-ticket-management-and-self-service-portal.html
/announcements/blog/announcing-zoho-survey-easily-create-professional-surveys-collect-data-and-make-smarter-decisions.html
/announcements/blog/automatic-payment-reminders-for-invoices.html
/announcements/blog/baihui-distributes-zoho-apps-in-china.html
/announcements/blog/barcamp-at-chennai.html
/announcements/blog/berryforms-esurvey-integrates-zoho-reports.html
/announcements/blog/better-import-and-embed-options-in-zoho-show.html
/announcements/blog/boxnet-integrates-zoho.html
/announcements/blog/bug-tracking.html
/announcements/blog/case-study-how-zoho-reports-helps-optimize-globos-tv-programming.html
/announcements/blog/cloudave-launches-focusing-on-business-apps-on-the-cloud.html
/announcements/blog/copy-database-html-import-intelligent-chart-creation-and-themes-support-in-zoho-db-reports.html
/announcements/blog/create-zoho-creator-web-apps-from-microsoft-access-database.html
/announcements/blog/dabble-db-customers-migration-offer-from-zoho-creator.html
/announcements/blog/demo-account-in-zoho-writer-removed.html
/announcements/blog/discontinuing-support-for-ie6-in-zoho-applications-and-browser-share-for-saas-apps-is-different.html
/announcements/blog/eating-ones-own-dog-food.html
/announcements/blog/facebook-connect.html
/announcements/blog/format-your-columns-as-you-like-in-zoho-db-reports.html
/announcements/blog/general/general/general/page/2
/announcements/blog/general/general/general/page/3
/announcements/blog/general/general/page/10
/announcements/blog/general/general/page/11
/announcements/blog/general/general/page/12
/announcements/blog/general/general/page/13
IV. CREDITS
-------------------------
This vulnerabilities has been discovered
by Juan Carlos García(@secnight)
V. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jul 2013 00:00Current
7.4High risk
Vulners AI Score7.4