{"href": "http://www.vulnerability-lab.com/get_content.php?id=270", "history": [], "sourceData": "Document Title:\r\n===============\r\nBarackObama Online Service - Persistent Web Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttp://www.vulnerability-lab.com/get_content.php?id=270\r\nhttp://www.acunetix.com/blog/news/obama-email-servers-hacked-xss/\r\n\r\n\r\nRelease Date:\r\n=============\r\n2011-09-11\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n270\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n5.7\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nVulnerability-Lab Team discovered persistent Web Vulnerability on BarackObamas official website service.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2011-08-30:\tVendor Notification\r\n2011-09-19:\tVendor Response/Feedback\r\n2011-**-**:\tVendor Fix/Patch\r\n2011-09-12:\tPublic or Non-Public Disclosure\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHigh\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nA persistent high(-) priority Input Validation vulnerability is detected on BarackObamas official website service.\r\nAttacker can form malicious requests which pass through the backend (not parsed!) & can be displayed as outgoing \r\ninfo@barakobama.com mail. Attackers can hijack(steal) backend sessions of the portal users/admins & can send malicious \r\nmails by the original postbox.\r\n\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t\t\t[+] Signup Volunteer 2012 - BackEnd; Username;Mail & Video\r\n\r\nAffected by Bug(s):\r\n\t\t\t\t\t\t[+] Mail/Website output & multiple other website modules with the same user value output\r\n\r\n\r\nPictures:\r\n\t\t\t\t\t\t../1.png\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe vulnerability can be exploited by remote attackers. For demonstration or reproduce ...\r\n\r\nReproduce manually ...\r\nRegister on the volunteer form on the website with username & mail as [Script Code] tags\r\nWhen the malicious content wents through the backend the script code gets executed out of the website content or mail.\r\n\r\n\r\n\r\nPoC Review: *.eml\r\n\r\nDelivered-To: x01445@gmail.com\r\nReceived: by 10.147.33.19 with SMTP id l19cs9469yaj;\r\n Sat, 3 Sep 2011 11:23:12 -0700 (PDT)\r\nReceived: by 10.229.37.78 with SMTP id w14mr1772614qcd.204.1315074191466;\r\n Sat, 03 Sep 2011 11:23:11 -0700 (PDT)\r\nReturn-Path: <CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com>\r\nReceived: from mta-inap13.bluestatedigital.com (mta-inap13.bluestatedigital.com [66.151.230.244])\r\n by mx.google.com with ESMTP id n5si747729qcv.4.2011.09.03.11.23.11;\r\n Sat, 03 Sep 2011 11:23:11 -0700 (PDT)\r\nReceived-SPF: pass (google.com: domain of CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com designates 66.151.230.244 as permitted sender) client-ip=66.151.230.244;\r\nAuthentication-Results: mx.google.com; spf=pass (google.com: domain of CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com designates 66.151.230.244 as permitted sender) smtp.mail=CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA@bounce.bluestatedigital.com; dkim=pass header.i=@barackobama.com\r\nReceived: by mta-inap13.bluestatedigital.com (Postfix, from userid 506)\r\n\tid 41A7CBE2C352; Sat, 3 Sep 2011 14:23:11 -0400 (EDT)\r\nDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=barackobama.com;\r\n\ts=ofakey; t=1315074191;\r\n\tbh=QHKCl0j8Cp0Mc3aZfKmyPjI9KjZ2eY5HJc9RIhBgTxM=;\r\n\th=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:\r\n\t MIME-Version:Content-Type;\r\n\tb=c5oaAHYcTLcRj3uDwXviO+GYmWfF6tqYGPy4qHbz7aWZTsMd6hCUrbeK/tmkOJeww\r\n\t smvMW58wICsrzvLmziVdTETeSgFkxufSe5xCNH7EwuXC4C1zgpAHxs292kmZb8IDC4\r\n\t UVDVKe5QN1g94HWU82RH8SgB2fsmagCrdxCbgCP8=\r\nReceived: from maillist-o \r\n\tby bounce.bluestatedigital.com with local (PHPMailer);\r\n\tSat, 3 Sep 2011 14:23:11 -0400\r\nDate: Sat, 3 Sep 2011 14:23:11 -0400\r\nTo: Rem0ve rmhaggi <x01445@gmail.com>\r\nFrom: \"Jeremy Bird, BarackObama.com\" <info@barackobama.com>\r\nReply-to: info@barackobama.com\r\nSubject: Can you organize in >\"<iframe src=http://vulnerability-lab.com width=800 height=800>?\r\nMessage-ID: <a42628342e2e608822984f3303027815@bounce.bluestatedigital.com>\r\nX-Priority: 3\r\nX-Mailer: PHPMailer [version 1.71-blue_mailer]\r\nX-maillist-id: 5074ffc4540e9163\r\nX-maillist-guid: CgdXWAJtUwRSB1ZTUlEGVVNcCQMCBA\r\nList-Unsubscribe: <http://my.barackobama.com/unsubscribe?email=x01445@gmail.com>\r\nMIME-Version: 1.0\r\nContent-Type: multipart/alternative;\r\n\tboundary=\"b1_a42628342e2e608822984f3303027815\"\r\n\r\n\r\n--b1_a42628342e2e608822984f3303027815\r\nContent-Type: text/plain; charset = \"iso-8859-1\"\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\nFriend --\r\n\r\nA couple weeks ago, President Obama sat down for lunch with=20\r\nsix of the campaign's summer organizers to thank them for their=20\r\nwork and share some of the lessons he learned when he was a=20\r\nfirst-time community organizer himself.\r\n\r\nHe made the time because organizing is at the heart of this=20\r\nmovement. It's how we're building our operation from the ground=20\r\nup over the next 14 months.\r\n\r\nAs we pause this weekend to celebrate the working men and=20\r\nwomen in our country who fought for the right to organize, it's=20\r\nworth taking a few minutes to listen to what the President had to=20\r\nsay -- and think about how we'll organize this campaign in the=20\r\nmonths to come.\r\n\r\nCheck out this video from the President's lunch to hear him speak=20\r\nin his own words about what it means to organize. Then will you=20\r\nsign up to be a volunteer for 2012 in >\"<iframe =\r\nsrc=3Dhttp://vulnerability-lab.com width=3D800 height=3D800>?\r\n\r\nYes, I'll sign up to volunteer:\r\n\r\nhttp://my.barackobama.com/Labor-Day-Volunteer6\r\n\r\nNot right now, but I'll chip in $5 to help build the campaign:\r\n\r\nhttps://donate.barackobama.com/Labor-Day-Vol-Donate2\r\n\r\nLabor Day has added significance in the political calendar -- it's seen=20\r\nas the moment when the race for the Republican nomination will=20\r\nreally heat up.\r\n\r\nThat means we need to be prepared for even more false attacks=20\r\non the President's record as our prospective opponents try to build=20\r\ntheir own campaigns.\r\n\r\nBut we'll win this election the same way we won the last one: through=20\r\npeople stepping up locally, taking the lead in the communities they=20\r\nknow best.\r\n\r\nSome supporters will dedicate months to this campaign, while others=20\r\nwill pop in for a few volunteer shifts here and there. Any time and=20\r\nexpertise you can share helps grow this organization -- and brings=20\r\npeople together to make our country greater.\r\n\r\nThat's a strategy our prospective opponents won't follow.\r\n\r\nWatch the video, then sign up to volunteer in your community:\r\n\r\nhttp://my.barackobama.com/Labor-Day-Volunteer6\r\n\r\nOur job from now until November 2012 is to keep working to bring=20\r\nmore people into the political process. And that begins and ends with=20\r\norganizing.\r\n\r\nHope you have a great Labor Day weekend.\r\n\r\nJeremy\r\n\r\nJeremy Bird\r\nNational Field Director\r\nObama for America\r\n\r\n\r\n---------\r\nThis campaign isn't funded by Washington lobbyists or corporate =\r\ninterests.=20\r\nWe rely on donations from people like you. You should donate today:\r\n\r\nhttps://donate.barackobama.com/Labor-Day-Vol-Donate2\r\n\r\n---------------------------------------------------------------------\r\nPaid for by Obama for America\r\n\r\nContributions or gifts to Obama for America are not tax deductible.\r\n\r\nThis email was sent to: x01445@gmail.com\r\nTo update your address, go to: =\r\nhttp://www.barackobama.com/change-address?email=3Dx01445@gmail.com\r\nTo unsubscribe, go to: http://my.barackobama.com/unsubscription\r\n\r\n\r\n--b1_a42628342e2e608822984f3303027815\r\nContent-Type: text/html; charset = \"iso-8859-1\"\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\" =\r\n\"http://www.w3.org/TR/REC-html40/loose.dtd\">\r\n<html =\r\nxmlns=3D\"http://www.w3.org/1999/xhtml\"><head><title></title></head><body>\r\n\t <style type=3D\"text/css\">\r\n\t a { color:#0270a0; }\r\n\t @media only screen and (max-device-width: 480px) {\r\n\t .hide-img {display: none;}\r\n\t }\r\n\t </style><table width=3D\"100%\" align=3D\"center\" cellpadding=3D\"0\" =\r\ncellspacing=3D\"0\" style=3D\"padding-top:10px;\"><tr><td align=3D\"center\">\r\n\t =20\r\n\t <img src=3D\"http://do9a31swnqi1j.cloudfront.net/images=\r\n/email-wrapper/header_logo.jpg\" alt=3D\"2012\" width=3D\"135\" height=3D\"58\" =\r\nborder=3D\"0\" style=3D\"display:block; border:none; outline:none;\"></td>\r\n\t </tr><tr><td style=3D\"font-family:arial, helvetica, sans-serif; =\r\nfont-size:12px; color:#333333; padding-top:20px; padding-bottom:20px; =\r\nline-height:1.4;\">\r\n =20\r\nFriend --<br><br>\r\n\r\nA couple weeks ago, President Obama sat down for lunch with six of the =\r\ncampaign's summer organizers to thank them for their work and share some =\r\nof the lessons he learned when he was a first-time community organizer =\r\nhimself.<br><br>\r\n\r\nHe made the time because organizing is at the heart of this movement. It's =\r\nhow we're building our operation from the ground up over the next 14 =\r\nmonths.<br><br>\r\n\r\nAs we pause this weekend to celebrate the working men and women in our =\r\ncountry who fought for the right to organize, it's worth taking a few =\r\nminutes to listen to what the President had to say -- and think about how =\r\nwe'll organize this campaign in the months to come.<br><br><strong>Check =\r\nout this video from the President's lunch to hear him speak in his own =\r\nwords about what it means to organize.</strong> Then will you sign up to =\r\nbe a volunteer for 2012 in >\"<iframe src=3Dhttp://vulnerability-lab.com =\r\nwidth=3D800 height=3D800>?<br><br><center><a href=3D\"http://my.barackobama=\r\n.com/page/m/55c11861/6c7a71b4/10bb41480/11890d1c/2677721858/VEsH/p/eyJKU1Z=\r\nGVFVGSlRDVWwiOiJ4MDE0NDVAZ21haWwuY29tIiwiSlNWYVNWQWxKUT09IjoiMzUyMzQiLCJKU=\r\n1ZHU1ZKVFZFNUJUVVVsSlE9PSI6IlJlbTB2ZSIsIkpTVk1RVk5VVGtGTlJTVWwiOiJybWhhZ2d=\r\npIn0=3D/\"><img src=3D\"http://assets.bostatic.com/images/email/campaigns/o2=\r\n012_video_thumbnail_lunch.jpg\" alt=3D\"Video: President Obama on =\r\norganizing\" width=3D\"325\" height=3D\"200 =\r\nborder=3D\"></a></center><br><br><strong><u><a href=3D\"http://my.barackobam=\r\na.com/page/m/55c11861/6c7a71b4/10bb41480/11890d1c/2677721858/VEsE/p/eyJKU1=\r\nZGVFVGSlRDVWwiOiJ4MDE0NDVAZ21haWwuY29tIiwiSlNWYVNWQWxKUT09IjoiMzUyMzQiLCJK=\r\nU1ZHU1ZKVFZFNUJUVVVsSlE9PSI6IlJlbTB2ZSIsIkpTVk1RVk5VVGtGTlJTVWwiOiJybWhhZ2=\r\ndpIn0=3D/\">Yes, I'll sign up to volunteer.</a></u><br><br><u><a =\r\nhref=3D\"http://my.barackobama.com/page/m/55c11861/6c7a71b4/10bb41480/11891=\r\n018/2677721858/VEsF/p/eyJKU1ZEVlZOVVQwMWZSRUZVUVZORlZGdHpiSFZuUFdadmJHUmxj=\r\nbDlrWVhSaGMyVjBMR3RsZVQxbWIyeGtaWEpmYUdGemFGMGxKUT09IjoiIiwiSlNWRFZWTlVUMD=\r\nFmUkVGVVFWTkZWRnR6YkhWblBXWnBiR1ZmWkdGMFlYTmxkQ3hyWlhrOVptbHNaVjlvWVhOb1hT=\r\nVWwiOiIifQ=3D=3D/\">Not right now, but I'll chip in $5 to help build the =\r\ncampaign.</a></u></strong><br><br>\r\n\r\nLabor Day has added significance in the political calendar -- it's seen as =\r\nthe moment when the race for the Republican nomination will really heat =\r\nup.<br><br>\r\n\r\nThat means we need to be prepared for even more false attacks on the =\r\nPresident's record as our prospective opponents try to build their own =\r\ncampaigns.<br><br>\r\n\r\nBut we'll win this election the same way we won the last one: through =\r\npeople stepping up locally, taking the lead in the communities they know =\r\nbest.<br><br>\r\n\r\nSome supporters will dedicate months to this campaign, while others will =\r\npop in for a few volunteer shifts here and there. Any time and expertise =\r\nyou can share helps grow this organization -- and brings people together =\r\nto make our country greater.<br><br>\r\n\r\nThat's a strategy our prospective opponents won't follow.<br><br>\r\n\r\nWatch the video, then sign up to volunteer in your =\r\ncommunity:<br><br><strong><a href=3D\"http://my.barackobama.com/page/m/55c1=\r\n1861/6c7a71b4/10bb41480/11890d1c/2677721858/VEsC/p/eyJKU1ZGVFVGSlRDVWwiOiJ=\r\n4MDE0NDVAZ21haWwuY29tIiwiSlNWYVNWQWxKUT09IjoiMzUyMzQiLCJKU1ZHU1ZKVFZFNUJUV=\r\nVVsSlE9PSI6IlJlbTB2ZSIsIkpTVk1RVk5VVGtGTlJTVWwiOiJybWhhZ2dpIn0=3D/\">http:/=\r\n/my.barackobama.com/Labor-Day-Volunteer</a></strong><br><br>\r\n\r\nOur job from now until November 2012 is to keep working to bring more =\r\npeople into the political process. And that begins and ends with =\r\norganizing.<br><br>\r\n\r\nHope you have a great Labor Day weekend.<br><br>\r\n\r\nJeremy<br><br>\r\n\r\nJeremy Bird<br>\r\nNational Field Director<br>\r\nObama for America<br><br><br>\r\n\r\n-----------<br><strong>This campaign isn't funded by Washington lobbyists =\r\nor corporate interests.</strong> We rely on donations from people like =\r\nyou. <strong><u><a href=3D\"http://my.barackobama.com/page/m/55c11861/6c7a7=\r\n1b4/10bb41480/11891018/2677721858/VEsD/p/eyJKU1ZEVlZOVVQwMWZSRUZVUVZORlZGd=\r\nHpiSFZuUFdadmJHUmxjbDlrWVhSaGMyVjBMR3RsZVQxbWIyeGtaWEpmYUdGemFGMGxKUT09Ijo=\r\niIiwiSlNWRFZWTlVUMDFmUkVGVVFWTkZWRnR6YkhWblBXWnBiR1ZmWkdGMFlYTmxkQ3hyWlhrO=\r\nVptbHNaVjlvWVhOb1hTVWwiOiIifQ=3D=3D/\">You should donate =\r\ntoday.</a></u></strong><br><br></td>\r\n\t </tr><tr><td align=3D\"center\">\r\n\r\n\t <img src=3D\"http://do9a31swnqi1j.cloudfront.net/images/ema=\r\nil-wrapper/paidfor.png\" alt=3D\"Paid for by Obama for America\"></td>\r\n\t </tr><tr><td align=3D\"center\">\r\n\t <p style=3D\"font-size:10px; color:#555555; =\r\nmargin-top:10px; margin-bottom:0px; font-family:arial, helvetica, =\r\nsans-serif;\">Contributions or gifts to Obama for America are not tax =\r\ndeductible.</p>\r\n\t =20\r\n\t </td>\r\n\t </tr><tr><td align=3D\"center\">\r\n\t <p style=3D\"font-size:10px; color:#555555; =\r\nmargin-top:10px; margin-bottom:0px; font-family:arial, helvetica, =\r\nsans-serif;\">This email was sent to: <b>x01445@gmail.com</b></p>\r\n\t <p style=3D\"font-size:10px; color:#555555; margin-top:2px; =\r\nfont-family:arial, helvetica, sans-serif;\">\r\n\t <a href=3D\"http://my.barackobama.com/page/m/55c11861/6=\r\nc7a71b4/10bb41480/11890d1e/2677721858/VEsA/p/eyJKU1ZGVFVGSlRDVWwiOiJ4MDE0N=\r\nDVAZ21haWwuY29tIn0=3D/\">Update address</a> | <a href=3D\"http://my.barackob=\r\nama.com/page/m/55c11861/6c7a71b4/10bb41480/11890d19/2677721858/VEsB/\">Unsu=\r\nbscribe</a>\r\n\r\n\t </p>\r\n\t </td>\r\n\t </tr></table><img src=3D\"http://my.barackobama.com/page/o/55c11861=\r\n/6c7a71b4/10bb41480/11890d18/2677721858/open.gif\" width=3D\"22\" =\r\nheight=3D\"1\"></body></html>\r\n--b1_a42628342e2e608822984f3303027815--\r\n\r\n\r\n\r\nNOTE:\r\nThe reproduce you can use the testers profile with the name & mail.\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nRestrict/Parse the username + mail input fields. (Backend;Frontend). To prevent against implemented strings from ago(2010/2011) you \r\ncan patch/fix the bound output sections were username or mail data is displayed.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the persistent vulnerability is estimated as high(-).\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-\r\nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \r\nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \r\nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \r\nmay not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases \r\nor trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t - www.vulnerability-lab.com/register\r\nContact: admin@vulnerability-lab.com \t- support@vulnerability-lab.com \t - research@vulnerability-lab.com\r\nSection: video.vulnerability-lab.com \t- forum.vulnerability-lab.com \t\t - news.vulnerability-lab.com\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t - youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and \r\nother information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), \r\nmodify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.\r\n\r\n \t\t\t\t \tCopyright \u00a9 2012 | Vulnerability Laboratory\r\n\r\n\r\n\r\n", "bulletinFamily": "exploit", "modified": "2011-09-11T00:00:00", "title": "BarackObama Online Service - Persistent Web Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "description": "", "viewCount": 5, "published": "2011-09-11T00:00:00", "edition": 1, "hash": "c980265b4a39d5efa8c54434ae89c9933a9c12a01598bebbd8a13d496bb4dc5a", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "855e308101b61e3f6a551d3721db5914"}, {"key": "modified", "hash": "b1e510f95804cde6623303713473024b"}, {"key": "published", "hash": "b1e510f95804cde6623303713473024b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "48350405bf0d8e70b580af494ce1ed1c"}, {"key": "sourceData", "hash": "4982ebe8115f599b1d6f4a1a3b837081"}, {"key": "title", "hash": "be4dca959862f93220d45c132199192b"}, {"key": "type", "hash": "c51e07649f7fd47199f456897e9390ca"}], "id": "VULNERLAB:270", "type": "vulnerlab", "lastseen": "2018-03-01T19:13:58", "reporter": "Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-03-01T19:13:58"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "references": []}