BarackObama Online Service - Persistent Web Vulnerability

2011-09-11T00:00:00
ID VULNERLAB:270
Type vulnerlab
Reporter Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Modified 2011-09-11T00:00:00

Description

                                        
                                            Document Title:
===============
BarackObama Online Service - Persistent Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=270
http://www.acunetix.com/blog/news/obama-email-servers-hacked-xss/


Release Date:
=============
2011-09-11


Vulnerability Laboratory ID (VL-ID):
====================================
270


Common Vulnerability Scoring System:
====================================
5.7


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered persistent Web Vulnerability on BarackObamas official website service.


Vulnerability Disclosure Timeline:
==================================
2011-08-30:	Vendor Notification
2011-09-19:	Vendor Response/Feedback
2011-**-**:	Vendor Fix/Patch
2011-09-12:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A persistent high(-) priority Input Validation vulnerability is detected on BarackObamas official website service.
Attacker can form malicious requests which pass through the backend (not parsed!) & can be displayed as outgoing 
info@barakobama.com mail. Attackers can hijack(steal) backend sessions of the portal users/admins & can send malicious 
mails by the original postbox.


Vulnerable Module(s):
						[+] Signup Volunteer 2012 - BackEnd; Username;Mail & Video

Affected by Bug(s):
						[+] Mail/Website output & multiple other website modules with the same user value output


Pictures:
						../1.png


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers. For demonstration or reproduce ...

Reproduce  manually ...
Register on the volunteer form on the website with username & mail as [Script Code] tags
When the malicious content wents through the backend the script code gets executed out of the website content or mail.



PoC Review: *.eml

Delivered-To: x01445@gmail.com
Received: by 10.147.33.19 with SMTP id l19cs9469yaj;
        Sat, 3 Sep 2011 11:23:12 -0700 (PDT)
Received: by 10.229.37.78 with SMTP id w14mr1772614qcd.204.1315074191466;
        Sat, 03 Sep 2011 11:23:11 -0700 (PDT)
Return-Path: <CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com>
Received: from mta-inap13.bluestatedigital.com (mta-inap13.bluestatedigital.com [66.151.230.244])
        by mx.google.com with ESMTP id n5si747729qcv.4.2011.09.03.11.23.11;
        Sat, 03 Sep 2011 11:23:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com designates 66.151.230.244 as permitted sender) client-ip=66.151.230.244;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com designates 66.151.230.244 as permitted sender) smtp.mail=CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com; dkim=pass header.i=@barackobama.com
Received: by mta-inap13.bluestatedigital.com (Postfix, from userid 506)
	id 41A7CBE2C352; Sat,  3 Sep 2011 14:23:11 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=barackobama.com;
	s=ofakey; t=1315074191;
	bh=QHKCl0j8Cp0Mc3aZfKmyPjI9KjZ2eY5HJc9RIhBgTxM=;
	h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:
	 MIME-Version:Content-Type;
	b=c5oaAHYcTLcRj3uDwXviO+GYmWfF6tqYGPy4qHbz7aWZTsMd6hCUrbeK/tmkOJeww
	 smvMW58wICsrzvLmziVdTETeSgFkxufSe5xCNH7EwuXC4C1zgpAHxs292kmZb8IDC4
	 UVDVKe5QN1g94HWU82RH8SgB2fsmagCrdxCbgCP8=
Received: from maillist-o 
	by bounce.bluestatedigital.com with local (PHPMailer);
	Sat, 3 Sep 2011 14:23:11 -0400
Date: Sat, 3 Sep 2011 14:23:11 -0400
To: Rem0ve rmhaggi <x01445@gmail.com>
From: "Jeremy Bird, BarackObama.com" <info@barackobama.com>
Reply-to: info@barackobama.com
Subject: Can you organize in >"<iframe src=http://vulnerability-lab.com width=800 height=800>?
Message-ID: <a42628342e2e608822984f3303027815@bounce.bluestatedigital.com>
X-Priority: 3
X-Mailer: PHPMailer [version 1.71-blue_mailer]
X-maillist-id: 5074ffc4540e9163
X-maillist-guid: CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA
List-Unsubscribe: <http://my.barackobama.com/unsubscribe?email=x01445@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_a42628342e2e608822984f3303027815"


--b1_a42628342e2e608822984f3303027815
Content-Type: text/plain; charset = "iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Friend --

A couple weeks ago, President Obama sat down for lunch with=20
six of the campaign's summer organizers to thank them for their=20
work and share some of the lessons he learned when he was a=20
first-time community organizer himself.

He made the time because organizing is at the heart of this=20
movement. It's how we're building our operation from the ground=20
up over the next 14 months.

As we pause this weekend to celebrate the working men and=20
women in our country who fought for the right to organize, it's=20
worth taking a few minutes to listen to what the President had to=20
say -- and think about how we'll organize this campaign in the=20
months to come.

Check out this video from the President's lunch to hear him speak=20
in his own words about what it means to organize. Then will you=20
sign up to be a volunteer for 2012 in >"<iframe =
src=3Dhttp://vulnerability-lab.com width=3D800 height=3D800>?

Yes, I'll sign up to volunteer:

http://my.barackobama.com/Labor-Day-Volunteer6

Not right now, but I'll chip in $5 to help build the campaign:

https://donate.barackobama.com/Labor-Day-Vol-Donate2

Labor Day has added significance in the political calendar -- it's seen=20
as the moment when the race for the Republican nomination will=20
really heat up.

That means we need to be prepared for even more false attacks=20
on the President's record as our prospective opponents try to build=20
their own campaigns.

But we'll win this election the same way we won the last one: through=20
people stepping up locally, taking the lead in the communities they=20
know best.

Some supporters will dedicate months to this campaign, while others=20
will pop in for a few volunteer shifts here and there. Any time and=20
expertise you can share helps grow this organization -- and brings=20
people together to make our country greater.

That's a strategy our prospective opponents won't follow.

Watch the video, then sign up to volunteer in your community:

http://my.barackobama.com/Labor-Day-Volunteer6

Our job from now until November 2012 is to keep working to bring=20
more people into the political process. And that begins and ends with=20
organizing.

Hope you have a great Labor Day weekend.

Jeremy

Jeremy Bird
National Field Director
Obama for America


---------
This campaign isn't funded by Washington lobbyists or corporate =
interests.=20
We rely on donations from people like you. You should donate today:

https://donate.barackobama.com/Labor-Day-Vol-Donate2

---------------------------------------------------------------------
Paid for by Obama for America

Contributions or gifts to Obama for America are not tax deductible.

This email was sent to: x01445@gmail.com
To update your address, go to: =
http://www.barackobama.com/change-address?email=3Dx01445@gmail.com
To unsubscribe, go to: http://my.barackobama.com/unsubscription


--b1_a42628342e2e608822984f3303027815
Content-Type: text/html; charset = "iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" =
"http://www.w3.org/TR/REC-html40/loose.dtd">
<html =
xmlns=3D"http://www.w3.org/1999/xhtml"><head><title></title></head><body>
	   <style type=3D"text/css">
	       a { color:#0270a0; }
	       @media only screen and (max-device-width: 480px) {
	           .hide-img {display: none;}
	       }
	   </style><table width=3D"100%" align=3D"center" cellpadding=3D"0" =
cellspacing=3D"0" style=3D"padding-top:10px;"><tr><td align=3D"center">
	           =20
	                   <img src=3D"http://do9a31swnqi1j.cloudfront.net/images=
/email-wrapper/header_logo.jpg" alt=3D"2012" width=3D"135" height=3D"58" =
border=3D"0" style=3D"display:block; border:none; outline:none;"></td>
	       </tr><tr><td style=3D"font-family:arial, helvetica, sans-serif; =
font-size:12px; color:#333333; padding-top:20px; padding-bottom:20px; =
line-height:1.4;">
                   =20
Friend --<br><br>

A couple weeks ago, President Obama sat down for lunch with six of the =
campaign's summer organizers to thank them for their work and share some =
of the lessons he learned when he was a first-time community organizer =
himself.<br><br>

He made the time because organizing is at the heart of this movement. It's =
how we're building our operation from the ground up over the next 14 =
months.<br><br>

As we pause this weekend to celebrate the working men and women in our =
country who fought for the right to organize, it's worth taking a few =
minutes to listen to what the President had to say -- and think about how =
we'll organize this campaign in the months to come.<br><br><strong>Check =
out this video from the President's lunch to hear him speak in his own =
words about what it means to organize.</strong> Then will you sign up to =
be a volunteer for 2012 in >"<iframe src=3Dhttp://vulnerability-lab.com =
width=3D800 height=3D800>?<br><br><center><a href=3D"http://my.barackobama=
.com/page/m/55c11861/6c7a71b4/10bb41480/11890d1c/2677721858/VEsH/p/eyJKU1Z=
GVFVGSlRDVWwiOiJ4MDE0NDVAZ21haWwuY29tIiwiSlNWYVNWQWxKUT09IjoiMzUyMzQiLCJKU=
1ZHU1ZKVFZFNUJUVVVsSlE9PSI6IlJlbTB2ZSIsIkpTVk1RVk5VVGtGTlJTVWwiOiJybWhhZ2d=
pIn0=3D/"><img src=3D"http://assets.bostatic.com/images/email/campaigns/o2=
012_video_thumbnail_lunch.jpg" alt=3D"Video: President Obama on =
organizing" width=3D"325" height=3D"200 =
border=3D"></a></center><br><br><strong><u><a href=3D"http://my.barackobam=
a.com/page/m/55c11861/6c7a71b4/10bb41480/11890d1c/2677721858/VEsE/p/eyJKU1=
ZGVFVGSlRDVWwiOiJ4MDE0NDVAZ21haWwuY29tIiwiSlNWYVNWQWxKUT09IjoiMzUyMzQiLCJK=
U1ZHU1ZKVFZFNUJUVVVsSlE9PSI6IlJlbTB2ZSIsIkpTVk1RVk5VVGtGTlJTVWwiOiJybWhhZ2=
dpIn0=3D/">Yes, I'll sign up to volunteer.</a></u><br><br><u><a =
href=3D"http://my.barackobama.com/page/m/55c11861/6c7a71b4/10bb41480/11891=
018/2677721858/VEsF/p/eyJKU1ZEVlZOVVQwMWZSRUZVUVZORlZGdHpiSFZuUFdadmJHUmxj=
bDlrWVhSaGMyVjBMR3RsZVQxbWIyeGtaWEpmYUdGemFGMGxKUT09IjoiIiwiSlNWRFZWTlVUMD=
FmUkVGVVFWTkZWRnR6YkhWblBXWnBiR1ZmWkdGMFlYTmxkQ3hyWlhrOVptbHNaVjlvWVhOb1hT=
VWwiOiIifQ=3D=3D/">Not right now, but I'll chip in $5 to help build the =
campaign.</a></u></strong><br><br>

Labor Day has added significance in the political calendar -- it's seen as =
the moment when the race for the Republican nomination will really heat =
up.<br><br>

That means we need to be prepared for even more false attacks on the =
President's record as our prospective opponents try to build their own =
campaigns.<br><br>

But we'll win this election the same way we won the last one: through =
people stepping up locally, taking the lead in the communities they know =
best.<br><br>

Some supporters will dedicate months to this campaign, while others will =
pop in for a few volunteer shifts here and there. Any time and expertise =
you can share helps grow this organization -- and brings people together =
to make our country greater.<br><br>

That's a strategy our prospective opponents won't follow.<br><br>

Watch the video, then sign up to volunteer in your =
community:<br><br><strong><a href=3D"http://my.barackobama.com/page/m/55c1=
1861/6c7a71b4/10bb41480/11890d1c/2677721858/VEsC/p/eyJKU1ZGVFVGSlRDVWwiOiJ=
4MDE0NDVAZ21haWwuY29tIiwiSlNWYVNWQWxKUT09IjoiMzUyMzQiLCJKU1ZHU1ZKVFZFNUJUV=
VVsSlE9PSI6IlJlbTB2ZSIsIkpTVk1RVk5VVGtGTlJTVWwiOiJybWhhZ2dpIn0=3D/">http:/=
/my.barackobama.com/Labor-Day-Volunteer</a></strong><br><br>

Our job from now until November 2012 is to keep working to bring more =
people into the political process. And that begins and ends with =
organizing.<br><br>

Hope you have a great Labor Day weekend.<br><br>

Jeremy<br><br>

Jeremy Bird<br>
National Field Director<br>
Obama for America<br><br><br>

-----------<br><strong>This campaign isn't funded by Washington lobbyists =
or corporate interests.</strong> We rely on donations from people like =
you. <strong><u><a href=3D"http://my.barackobama.com/page/m/55c11861/6c7a7=
1b4/10bb41480/11891018/2677721858/VEsD/p/eyJKU1ZEVlZOVVQwMWZSRUZVUVZORlZGd=
HpiSFZuUFdadmJHUmxjbDlrWVhSaGMyVjBMR3RsZVQxbWIyeGtaWEpmYUdGemFGMGxKUT09Ijo=
iIiwiSlNWRFZWTlVUMDFmUkVGVVFWTkZWRnR6YkhWblBXWnBiR1ZmWkdGMFlYTmxkQ3hyWlhrO=
VptbHNaVjlvWVhOb1hTVWwiOiIifQ=3D=3D/">You should donate =
today.</a></u></strong><br><br></td>
	       </tr><tr><td align=3D"center">

	               <img src=3D"http://do9a31swnqi1j.cloudfront.net/images/ema=
il-wrapper/paidfor.png" alt=3D"Paid for by Obama for America"></td>
	       </tr><tr><td align=3D"center">
	               <p style=3D"font-size:10px; color:#555555; =
margin-top:10px; margin-bottom:0px; font-family:arial, helvetica, =
sans-serif;">Contributions or gifts to Obama for America are not tax =
deductible.</p>
	             =20
	           </td>
	       </tr><tr><td align=3D"center">
	               <p style=3D"font-size:10px; color:#555555; =
margin-top:10px; margin-bottom:0px; font-family:arial, helvetica, =
sans-serif;">This email was sent to: <b>x01445@gmail.com</b></p>
	               <p style=3D"font-size:10px; color:#555555; margin-top:2px; =
font-family:arial, helvetica, sans-serif;">
	                   <a href=3D"http://my.barackobama.com/page/m/55c11861/6=
c7a71b4/10bb41480/11890d1e/2677721858/VEsA/p/eyJKU1ZGVFVGSlRDVWwiOiJ4MDE0N=
DVAZ21haWwuY29tIn0=3D/">Update address</a> | <a href=3D"http://my.barackob=
ama.com/page/m/55c11861/6c7a71b4/10bb41480/11890d19/2677721858/VEsB/">Unsu=
bscribe</a>

	               </p>
	           </td>
	       </tr></table><img src=3D"http://my.barackobama.com/page/o/55c11861=
/6c7a71b4/10bb41480/11890d18/2677721858/open.gif" width=3D"22" =
height=3D"1"></body></html>
--b1_a42628342e2e608822984f3303027815--



NOTE:
The reproduce you can use the testers profile with the name & mail.


Solution - Fix & Patch:
=======================
Restrict/Parse the username + mail input fields. (Backend;Frontend). To prevent against implemented strings from ago(2010/2011) you 
can patch/fix the bound output sections were username or mail data is displayed.


Security Risk:
==============
The security risk of the persistent vulnerability is estimated as high(-).


Credits & Authors:
==================
Vulnerability Research Laboratory -   Benjamin Kunz Mejri (Rem0ve)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory