Ebuddy Web Messenger Disclosure / CSRF

2013-09-04T00:00:00
ID PACKETSTORM:123083
Type packetstorm
Reporter Juan Carlos Garcia
Modified 2013-09-04T00:00:00

Description

                                        
                                            `===============================================================================================================================================================================================  
Ebuddy Web Messenger Index of Disclosure / htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text  
===============================================================================================================================================================================================  
  
  
I. VULNERABILITY  
-------------------------  
#Title: Ebuddy htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text  
  
#Vendor:httpS://www.ebuddy.com/  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
http://www.highsec.es  
Twitter:@secnight  
  
II. DESCRIPTION  
-------------------------  
  
XMS: Free, real-time messaging app for smartphones  
  
Unlimited messaging through your Internet connection  
  
Message any way you want with text, pictures, videos, location and more.  
  
Brought to you by the messaging pros at eBuddy  
  
  
  
III. PROOF OF CONCEPT  
-------------------------  
  
Index of / Disclosure  
*********************  
  
http://web.ebuddy.com/?startsession=1  
  
  
  
htaccess file readable  
***********************  
  
Vulnerability description  
--------------------------  
  
This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files   
are designed to be parsed by web server and should not be directly accessible. These files could contain sensitive information   
that could help an attacker to conduct further attacks. It's recommended to restrict access to this file.  
  
Affected items  
  
/   
  
The impact of this vulnerability  
---------------------------------  
  
Sensitive information disclosure.  
  
Request  
  
GET /.htaccess HTTP/1.1  
Cookie: language=en-GB; e_network=MASTER  
  
Html Response  
-------------  
  
DirectoryIndex index.html ErrorDocument 404 /404.html # Turning on the rewrite engine is necessary for the following rules and features. # FollowSymLinks must be enabled for this to work. Options +FollowSymlinks RewriteEngine On #   
  
Rewrite "www.example.com -> example.com" RewriteCond %{HTTPS} !=on RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] RewriteRule ^(feedback/) - [L] RewriteRule ^(php/) - [L] RewriteRule ^(.*)\.php$   
  
/$1.html [R=301,L] RewriteRule ^advertising/(.*)$ /advertising.html [L,R=301] RewriteRule ^iphone(.*)$ /products.html [L,R=301] RewriteRule ^android(.*)$ /products.html [L,R=301] RewriteRule ^mobile(.*)$ /products.html [L,R=301]   
  
RewriteRule ^ebuddy_id(.*)$ /index.html [L,R=301] RewriteRule ^webmessenger(.*)$ /index.html [L,R=301] RewriteRule ^landing/(.*)$ /picture.html [L,R=301] RewriteRule ^psp(?:/.*)?$ http://m.ebuddy.com/psp [L,R=301] # fd=1 --> force   
  
desktop website RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond   
  
%{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro|symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini|  
  
j2me|midp-|cldc-|netfront" [NC] RewriteRule (^$|^index.html$) http://m.ebuddy.com/ [L,R=302] RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT}   
  
"text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro|  
  
symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini|j2me|midp-|cldc-|netfront" [NC] RewriteRule (^picture.html$) http://m.ebuddy.com/landing.php [L,R=302] #### ## Unknown stuff #### #   
  
---------------------------------------------------------------------- # Better website experience for IE users # ---------------------------------------------------------------------- # Force the latest IE version, in various cases when   
  
it may fall back to IE7 mode # github.com/rails/rails/commit/123eb25#commitcomment-118920 # Use ChromeFrame if it's installed for a better experience for the poor IE folk Header set X-UA-Compatible "IE=Edge,chrome=1" # mod_headers can't   
  
match by content-type, but we don't want to send this header on *everything*... Header unset X-UA-Compatible # ---------------------------------------------------------------------- # CORS-enabled images (@crossorigin) #   
  
---------------------------------------------------------------------- # Send CORS headers if browsers request them; enabled by default for images. # developer.mozilla.org/en/CORS_Enabled_Image # blog.chromium.org/2011/07/using-cross-  
  
domain-images-in-webgl-and.html # hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/ # wiki.mozilla.org/Security/Reviews/crossoriginAttribute # mod_headers, y u no match by Content-Type?! SetEnvIf   
  
Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS # ---------------------------------------------------------------------- # Webfont access # ----------------------------------------------------------------------   
  
# Allow access from all domains for webfonts. # Alternatively you could only whitelist your # subdomains like "subdomain.example.com". Header set Access-Control-Allow-Origin "*" #   
  
---------------------------------------------------------------------- # Gzip compression # ---------------------------------------------------------------------- # Force deflate for mangled headers   
  
developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/ SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding   
  
"gzip,deflate" env=HAVE_Accept-Encoding # HTML, TXT, CSS, JavaScript, JSON, XML, HTC: FilterDeclare COMPRESS FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css   
  
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component FilterProvider COMPRESS DEFLATE resp=Content-  
  
Type $application/javascript FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml   
  
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject   
  
FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $image/x-icon FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf FilterProvider COMPRESS DEFLATE   
  
resp=Content-Type $font/opentype FilterChain COMPRESS FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no # Legacy versions of Apache AddOutputFilterByType DEFLATE text/html text/plain text/css application/json AddOutputFilterByType   
  
DEFLATE application/javascript AddOutputFilterByType DEFLATE text/xml application/xml text/x-component AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml AddOutputFilterByType DEFLATE image/x-  
  
icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype # ---------------------------------------------------------------------- # Expires headers (for better cache control) #   
  
---------------------------------------------------------------------- # These are pretty far-future expires headers. # They assume you control versioning with cachebusting query params like #   
  
HTML form without CSRF protection  
********************************  
  
  
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as   
CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted  
from a user that the website trusts.  
  
  
Affected items  
  
/   
/ar   
/bg-ID   
/bs   
/cs   
/da   
/de   
/el   
/es   
/et   
/fa   
/fr   
/he   
/hu   
/id   
/is   
/it   
/ms   
/nl   
/no   
/pl   
/pt   
/pt-BR   
/ro   
/ru   
/sk   
/sl   
/sv   
/th   
/tr   
/vi   
/zh   
/zh-TW   
  
  
The impact of this vulnerability  
---------------------------------  
An attacker may force the users of a web application to execute actions of the attacker's choosing.  
A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end   
user is the administrator account, this can compromise the entire web application.  
  
  
  
Example  
  
Affected items  
/  
  
  
Attack details  
Form name: login-form  
Form action: http://www.ebuddy.com/  
Form method: POST  
  
Form inputs:  
  
username [Text]  
password [Password]  
remember [Checkbox]  
signinoffline [Checkbox]  
network [Hidden]  
  
  
User credentials are sent in clear text  
***************************************  
  
  
Vulnerability description  
------------------------  
User credentials are transmitted over an unencrypted channel.   
This information should always be transferred via an encrypted channel (HTTPS)   
to avoid being intercepted by malicious users.  
  
Affected items  
--------------  
  
/   
/ar   
/bg-ID   
/bs   
/cs   
/da   
/de   
/el   
/es   
/et   
/fa   
/fr   
/he   
/hu   
/id   
/is   
/it   
/ms   
/nl   
/no   
/pl   
/pt   
/pt-BR   
/ro   
/ru   
/sk   
/sl   
/sv   
/th   
/tr   
/vi   
/zh   
/zh-TW   
  
The impact of this vulnerability  
---------------------------------  
  
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection  
  
Example:  
  
Affected Item  
  
/  
  
Attack details  
Form name: login-form  
Form action: http://www.ebuddy.com/  
Form method: POST  
  
Form inputs:  
  
username [Text]  
password [Password]  
remember [Checkbox]  
signinoffline [Checkbox]  
network [Hidden]  
  
  
  
IV. BUSINESS IMPACT  
-------------------------  
This type of failure Messengers line they have so many customers are extremely dangerous because they   
can be a serious impact on customers and users  
  
V SOLUTION  
------------------------  
Write Secure Code  
  
  
VI. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
Special Thnaks:Perseo  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`