Vulners
Lucene search
Nike+ Panel / Mobile App Cross Site Scripting
Nike+ Panel & Mobile App - Multiple Web Vulnerabilities
Details:
========
Multiple persistent input validation vulnerabilities are detected in the Nike+ Control Panel & fuelband mobile web application.
The bug allows an attackers to implement/inject malicious script code on the application side (persistent).
The first persistent vulnerability is located in the profile username input with the bound vulnerable name normal_font listing.
The persistent code get executed out of the mobile application username listing & nike+ index panel username profile listing.
The secound persistent vulnerability is located in the facebook friends module & the bound vulnerable facebook friend name listing.
The persistent code get executed out of the friends (management) when processing to add a user with malicious string in the facebook name.
The third vulnerability is located in the nike+ search module for members and the bound vulnerable alt_header_font title listing.
The 3rd vulnerability is located on client side of the application and gets executed when a register malicious username will be searched.
By injecting any own script code directly without the existing user the code will be executed on client side of the search module.
Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin) or stable (persistent)
context manipulation in mobile apps or panels via sync. Exploitation requires low user inter action and a privileged user account.
Vulnerable Section(s):
[+] Index & Profile
[+] Friends/Freunde - Facebook
[+] Search - Listing
Vulnerable Input(s):
[+] Name
[+] Friend Name
[+] Titel Header
Vulnerable Parameter(s):
[+] name normal_font
[+] facebook friend name
[+] alt_header_font title
Note: the vulnerability also affect the mobile applications and can be synced with the fuelband. Maybe the bug is also located in other panels!
Proof of Concept:
=================
The persistent input validation vulnerability can be exploited by privileged user accounts with low required user inter action & nike+ sync.
For demonstration or reproduce ...
Review: name normal_font
<li id="nav_profile" class="button">
<a href="/plus/profile/rem0ve23/">
<div class="avatar">
</div>
<div class="desc">
<div class="name normal_font">
<[PERSISTENT INJECTED SCRIPT CODE!]">
<
</div>
Input: http://nikeplus.nike.com/plus/profile/keymaster137/
Output: http://nikeplus.nike.com/plus/
Review: alt_header_font title
<div class="alt_header_font title no_results">ZU >"<[PERSISTENT INJECTED SCRIPT CODE!]"> WURDE KEIN EINTRAG GEFUNDEN</iframe></div>
Input: https://secure-nikeplus.nike.com/plus/friends/[USERNAME]/#nike
Solution:
=========
The first vulnerability can be patched by parsing the username input (profile) & the affected output listing (index).
The secound vulnerability can be patched by parsing the invited friend facebook name listing (output).
The third vulnerability can be patched by parsing the the search input field and output listing (results) to`zu.
Risk:
=====
The security risk of the persistent input validation vulnerabilities are estimated as medium(+)|(-)high.
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Aug 2012 00:00Current
7.1High risk
Vulners AI Score7.1