Geonick Social Network Clickjacking / Credential Disclosure

`  
GEONICK SOCIAL-NETWORK Insecure crossdomain.xml file / Clickjacking: X-Frame-Options header missing / User credentials are sent in clear text  
  
Time-Line Vulnerability  
***********************  
  
Multiple Advisories but NOT RESPONSE  
  
Then  
  
Full Disclosure  
  
I-VULNERABILITY  
-------------------------  
  
#Title: GEONICK SOCIAL-NETWORK Insecure crossdomain.xml file / Clickjacking: X-Frame-Options header missing / User credentials are sent in clear text/  
  
#Vendor:http://geonick.com  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
  
http://www.highsec.es  
http://hackingmadrid.blogspot.com  
Twitter:@secnight  
  
  
  
II-Introduction:  
================  
Geonick is a Spanish social network and a search engine that lets you find people around you or far corners that share your interests,  
hobbies and interests.  
  
Geonick is a free social network that offers an option some advanced features and payment.  
  
Literal : ""Because we believe in the Internet, in social relations, information sharing and the exchange of messages  
but we believe that all this can be based on respect for the individual, his privacy."  
  
  
  
====================  
III-PROOF OF CONCEPT  
====================  
  
  
Attack details  
--------------  
  
Insecure crossdomain.xml file  
******************************  
  
The browser security model normally prevents web content from one domain from accessing data from another domain.  
This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data.  
They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory  
of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml).   
  
When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers  
in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website  
opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) like so:   
  
<cross-domain-policy>  
<allow-access-from domain="*" />  
</cross-domain-policy>  
  
This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit  
access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies.  
Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially  
careful when using cross-domain policy files.  
  
  
Attack details  
--------------  
The crossdomain.xml file is located at /crossdomain.xml (2)  
  
GET /crossdomain.xml HTTP/1.1  
Host: geonick.com  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)  
  
Response  
  
HTTP/1.1 200 OK  
  
Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough  
/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.35 mod_fcgid/2.3.6  
Last-Modified: Tue, 18 Oct 2011 19:37:56 GMT  
  
ETag: "620d41-60-4af97dc318d00"  
  
<cross-domain-policy>  
<allow-access-from domain="*"/>  
</cross-domain-policy>  
  
  
  
Clickjacking: X-Frame-Options header missing(2)  
***********************************************  
  
Clickjacking (User Interface redress attack, UI redress attack, UI redressing)   
is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they   
are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking   
on seemingly innocuous web pages.   
  
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack.  
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page  
in a <frame> or <iframe>.  
Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.   
  
The impact of this vulnerability  
  
The impact depends on the affected web application.   
  
How to fix this vulnerability  
  
Configure your web server to include an X-Frame-Options header.  
  
  
User credentials are sent in clear text  
*****************************************  
User credentials are transmitted over an unencrypted channel.  
This information should always be transferred via an encrypted channel (HTTPS)  
to avoid being intercepted by malicious users.  
  
Affected items  
  
/   
/join.php (8dc38e7512b6a37942d44d069e27a3c8)   
/join.php (d8028533028fdeb45b1cce8901809db6)   
/join.php/user=tourist   
/member.php (975a4a1b7430a0d8d05b765506281cce)   
/member.php (f15bbaf05a65fce70291e7e91f71abea)   
  
The impact of this vulnerability  
  
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.  
  
How to fix this vulnerability  
  
Because user credentials are considered sensitive information, should always be transferred to the server  
over an encrypted connection (HTTPS).  
  
  
  
IV. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
  
V. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`