FC2 / Rakuten Cross Site Scripting

`*FC2 & Rakuten Online Websites Multiple XSS (Cross-site Scripting) and Open  
Redirect Cyber Vulnerabilities *  
  
  
  
  
FC2 and Rakuten are the first and second top ranking Japanese local online  
websites. This post introduces several XSS (Cross-site Scripting) and Open  
Redirect bugs of them.  
  
  
  
The Alexa rank of fc2.com is 52 on February 18 2015 and the related rank in  
Japan is 4. The Alexa rank of rakuten.co.jp is 64 on May 29 2015 and the  
related rank is japan is 7.  
  
  
  
  
Discover and Reporter:  
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and  
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),  
Singapore. (@justqdjing)  
http://www.tetraph.com/wangjing  
  
  
  
  
  
  
*(1) FC2 XSS (cross site scripting) & Open Redirect*  
  
  
  
*Domain:*  
blog.fc2.com/  
  
  
"FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third  
most popular video hosting service in Japan (after YouTube and Niconico),  
and a web hosting company headquartered in Las Vegas, Nevada. It is the  
sixth most popular website in Japan overall (as of January 2014). FC2 is an  
abbreviation of "Fantastic Kupi-Kupi (クピクピ)". It is known to allow  
controversial adult content such as pornography and hate speech (unlike  
many of its competitors). The company uses rented office space for its  
headquarters which it shares with many other U.S.-based businesses. It also  
pays taxes in the United States. The physical servers are located in the  
United States. However, it is believed that the majority of the company and  
its users (including employees) are located within Japan" (Wikipedia)  
  
  
The Alexa rank of fc2.com is 52 on February 18 2015. It is the top one  
Japanese local website service.  
  
  
  
  
  
*(1.1) FC2 fc2.com <http://fc2.com> Online Website URLs XSS (cross site  
scripting) Vulnerabilities (All URLs Under Domain blog.fc2.com/tag  
<http://blog.fc2.com/tag>)*  
  
  
  
  
*Vulnerability description:*  
  
FC2 has a computer cyber security bug problem. It is vulnerable to XSS  
attacks. Here is the description of XSS: "Hackers are constantly  
experimenting with a wide repertoire of hacking techniques to compromise  
websites and web applications and make off with a treasure trove of  
sensitive data including credit card numbers, social security numbers and  
even medical records. Cross-site Scripting (also known as XSS or CSS) is  
generally believed to be one of the most common application layer hacking  
techniques Cross-site Scripting allows an attacker to embed malicious  
JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic  
page to fool the user, executing the script on his machine in order to  
gather data. The use of XSS might compromise private information,  
manipulate or steal cookies, create requests that can be mistaken for those  
of a valid user, or execute malicious code on the end-user systems. The  
data is usually formatted as a hyperlink containing malicious content and  
which is distributed over any possible means on the internet." (Acunetix)  
  
  
  
  
The programming code flaw occurs at fc2 URLs' filenames . Fc2 only filter  
part of the filenames in the urls. Almost all urls are affected under  
domain blog.fc2.com/tag are affected. i.e.  
http://blog.fc2.com/tag/drug/  
http://blog.fc2.com/tag//アメリカ/  
http://blog.fc2.com/tag/tag/翻訳  
http://blog.fc2.com/tag//>レシピブログに参加中♪  
  
  
  
The vulnerability can be attacked without user login. Tests were performed  
on Firefox (37.02) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.  
  
  
POC Code:  
http://blog.fc2.com/tag/drug//"><img src=x onerror=prompt('justqdjing')>  
http://blog.fc2.com/tag//アメリカ//"><img src=x onerror=prompt('justqdjing')>  
http://blog.fc2.com/tag/tag/翻訳//"><img src=x onerror=prompt('justqdjing')>  
http://blog.fc2.com/tag//>レシピブログに参加中//"><img src=x  
onerror=prompt('justqdjing')>  
  
  
  
  
  
  
  
*Poc Video:*  
https://www.youtube.com/watch?v=jQ8dLbno6JQ  
  
  
*Blog Detail:*  
http://tetraph.com/security/xss-vulnerability/fc2-blog-xss/  
http://securityrelated.blogspot.com/2015/06/fc2-fc2com-online-website-urls-xss.html  
  
  
  
  
  
  
  
*(1.2) FC2 Online Web Service Open Redirect (Unvalidated Redirects and  
Forwards) Cyber Security Vulnerabilities*  
  
  
  
*(1.2.1) Vulnerability Description:*  
  
FC2 online web service has a computer cyber security bug problem. It can be  
exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks.  
Here is the description of Open Redirect: "An open redirect is an  
application that takes a parameter and redirects a user to the parameter  
value without any validation. This vulnerability is used in phishing  
attacks to get users to visit malicious sites without realizing it." One  
consequences of it is Phishing. (OWASP)  
  
  
The program code flaw can be attacked without user login. Tests were  
performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox  
(37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple  
Safari 6.1.6 of Mac OS X v10.9 Mavericks.  
  
  
In fact, during the test, it is not hard to find URL Redirection bugs in  
FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities.  
These bugs were found by using URFDS.  
  
  
  
  
  
*(1.2.2)* Use one of webpages for the following tests. The webpage address  
is "http://securitypost.tumblr.com/". Can suppose that this webpage is  
malicious.  
  
  
Vulnerable URL 1:  
http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F  
  
POC Code:  
http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html  
  
  
  
Vulnerable URL 2:  
http://blogranking.fc2.com/out.php?id=104304&url=http%3A%2F%2Ffc2.com%2F  
  
POC Code:  
http://blogranking.fc2.com/out.php?id=104304&url=http://www.tetraph.com/essayjeans/poems/distance.html  
  
  
  
  
  
  
*Poc Video:*  
https://www.youtube.com/watch?v=r8vU2Z-ueQI  
  
  
*Blog Detail:*  
http://tetraph.com/security/open-redirect/fc2-service-open-redirect/  
http://securityrelated.blogspot.com/2015/06/fc2-online-web-service-open-redirect.html  
  
  
  
  
  
*(1.3) Vulnerability Disclosure:*  
Those vulnerabilities were reported to [email protected] in 2014.  
No one replied. Until now, they are still unpatched.  
  
  
  
  
  
  
  
  
  
*(2) Rakuten XSS (cross site scripting) & Open Redirect*  
  
  
  
  
*Domain:*  
rakuten.com  
  
"Rakuten, Inc. (楽天株式会社 Rakuten Kabushiki-gaisha?) is a Japanese electronic  
commerce and Internet company based in Tokyo, Japan. Its B2B2C e-commerce  
platform Rakuten Ichiba is the largest e-commerce site in Japan and among  
the world’s largest by sales. Hiroshi Mikitani founded the company in  
February 1997 as MDM, Inc., and is still its chief executive. Rakuten  
Shopping Mall (楽天市場 Rakuten Ichiba?) started operations in May 1997. In  
June 1999, the company changed its name to Rakuten, Inc. The Japanese word  
rakuten means optimism. In 2012, the company's revenues totaled US$4.6  
billion with operating profits of about US$244 million. In June 2013,  
Rakuten, Inc. reported it had a total of 10,351 employees worldwide. In  
2005, Rakuten started expanding outside Japan, mainly through acquisitions  
and joint ventures. Its acquisitions include Buy.com (now Rakuten.com  
Shopping in the US), Priceminister (France), Ikeda (now Rakuten Brasil),  
Tradoria (now Rakuten Deutschland), Play.com (UK), Wuaki.tv (Spain), and  
Kobo Inc. (Canada). The company has investments in Pinterest, Ozon.ru, AHA  
Life, and Daily Grommet." (Wikipedia)  
  
  
The Alexa rank of rakuten.co.jp is 64 in May 29 2015. It is the second top  
Japanese local service website.  
  
  
  
  
  
*(2.1) Rakuten Website Search Page XSS (cross site scripting) Web Security  
Vulnerability*  
  
*(2.1.1) Vulnerability description:*  
rakuten.de has a computer science security bug problem. It is vulnerable to  
XSS attacks. Here is the description of XSS: "Cross-Site Scripting (XSS)  
attacks are a type of injection, in which malicious scripts are injected  
into otherwise benign and trusted web sites. XSS attacks occur when an  
attacker uses a web application to send malicious code, generally in the  
form of a browser side script, to a different end user. Flaws that allow  
these attacks to succeed are quite widespread and occur anywhere a IEEE web  
application uses input from a user within the output it generates without  
validating or encoding it." (OWSAP)  
  
  
  
  
  
  
*(2.1.2) *The program code flaw occurs at "&q" parameter in at  
"suchen/asd/?" pages, i.e.  
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=reddit_nice_music_news  
  
  
  
The vulnerability can be attacked without user login. Tests were performed  
on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The  
bugs were found by using CSXDS.  
  
  
Vulnerable URLs:  
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment  
  
  
POC Code:  
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment'  
/"><img src=x onerror=prompt(/tetraph/)>  
  
  
  
  
  
  
*Poc Video:*  
https://www.youtube.com/watch?v=FK7nmuRupJI  
  
  
*Blog Detail:*  
https://vulnerabilitypost.wordpress.com/2015/06/11/rakuten-xss/  
http://securityrelated.blogspot.com/2015/06/rakuten-website-search-page-xss-cross.html  
  
  
  
  
  
  
*(2.1.3) Vulnerability Disclosure:*  
Those vulnerabilities are patched now.  
  
  
  
  
  
  
  
*(2.2) Rakuten Online Website Open Redirect (URL Redirection) Cyber  
Security Vulnerabilities*  
  
  
  
*(2.2.1) Vulnerability Description:*  
  
Rakuten online website has a computer engineering security bug problem. It  
can be exploited by URL Redirection (Unvalidated Redirects and Forwards)  
attacks. Here is the description of Open Redirect: "A web application  
accepts a user-controlled input that specifies a link to an external site,  
and uses that link in a Redirect. This simplifies phishing attacks. An http  
parameter may contain a URL value and could cause the web application to  
redirect the request to the specified URL. By modifying the URL value to a  
malicious site, an attacker may successfully launch a phishing scam and  
steal user credentials. Because the server name in the modified link is  
identical to the original site, phishing attempts have a more trustworthy  
appearance." (From CWE)  
  
  
"The Full Disclosure mailing list is a public forum for detailed discussion  
of vulnerabilities and exploitation techniques, as well as tools, papers,  
news, and events of interest to the community. FD differs from other  
security lists in its open nature and support for researchers' right to  
decide how to disclose their own discovered bugs. The full disclosure  
movement has been credited with forcing vendors to better secure their  
products and to publicly acknowledge and fix flaws rather than hide them.  
Vendor legal intimidation and censorship attempts are not tolerated here!"  
A great many of the fllowing web securities have been published here,  
Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL  
injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated  
Redirects and Forwards, Information Leakage, Denial of Service, File  
Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML  
Injection, Spam.  
  
  
The program code flaw can be attacked without user login. Tests were  
performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox  
(37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple  
Safari 6.1.6 of Mac OS X v10.9 Mavericks.  
  
  
Since know only a little Japanese, not sure whether Rakuten pays much  
attention to Open Redirect Vulnerabilities or not.  
  
  
  
  
  
*(2.2.2)* Use one of webpages for the following tests. The webpage address  
is "http://www.inzeed.com/kaleidoscope/". Can suppose that this webpage is  
malicious.  
  
  
  
Vulnerable URL 1:  
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=https://www.netflix.com/movies/  
  
POC Code:  
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=http://www.inzeed.com/kaleidoscope/  
  
  
  
  
Vulnerable URL 2:  
http://affiliate.rakuten.com/fs-bin/click?u1=no_refer&id=Jv*v1/Wldzg&subid=0&offerid=229300.1&type=10&tmpid=6933&RD_PARM1=http%3A%2F%2Fadcash.com%2fmoney  
  
POC Code:  
http://affiliate.rakuten.com/fs-bin/click?u1=no_refer&id=Jv*v1/Wldzg&subid=0&offerid=229300.1&type=10&tmpid=6933&RD_PARM1=http://www.inzeed.com/kaleidoscope/  
  
  
  
  
Vulnerable URL 3:  
http://clickfrom.rakuten.com/default.asp?adid=17379&sURL=http%3A%2F%2Fwww.craigslist.org  
  
POC Code:  
http://clickfrom.rakuten.com/default.asp?sURL=http://www.inzeed.com/kaleidoscope/  
  
  
  
  
  
  
*Poc Video:*  
https://www.youtube.com/watch?v=uxsuLgAdpCw  
  
  
*Blog Detail:*  
http://tetraph.com/security/open-redirect/rakuten-open-redirect/  
http://securityrelated.blogspot.com/2015/06/rakuten-open-redirect.html  
  
  
  
  
  
*(2.2.3) Vulnerability Disclosure:*  
Those vulnerabilities are not patched now.  
  
  
  
  
  
  
  
  
*More Details:*  
http://tetraph.com/security/web-security/fc2-rakuten-xss-and-url-redirection/  
http://securityrelated.blogspot.com/2015/06/fc2-rakuten-online-websites-multiple.html  
  
  
  
  
  
  
--  
Jing Wang,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
https://twitter.com/justqdjing  
  
  
`