Nike+ Panel / Mobile App Cross Site Scripting

2012-08-11T00:00:00
ID 1337DAY-ID-19204
Type zdt
Reporter n/a
Modified 2012-08-11T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Nike+ Panel & Mobile App - Multiple Web Vulnerabilities

Details:
========
Multiple persistent input validation vulnerabilities are detected in the Nike+ Control Panel & fuelband mobile web application.
The bug allows an attackers to implement/inject malicious script code on the application side (persistent). 

The first persistent vulnerability is located in the profile username input with the bound vulnerable name normal_font listing.
The persistent code get executed out of the mobile application username listing & nike+ index panel username profile listing.

The secound persistent vulnerability is located in the facebook friends module & the bound vulnerable facebook friend name listing.
The persistent code get executed out of the friends (management) when processing to add a user with malicious string in the facebook name.

The third vulnerability is located in the nike+ search module for members and the bound vulnerable alt_header_font title listing.
The 3rd vulnerability is located on client side of the application and gets executed when a register malicious username will be searched.
By injecting any own script code directly without the existing user the code will be executed on client side of the search module.

Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin) or stable (persistent) 
context manipulation in mobile apps or panels via sync. Exploitation requires low user inter action and a privileged user account. 


Vulnerable Section(s):
                          [+] Index & Profile
                          [+] Friends/Freunde - Facebook
                          [+] Search - Listing

Vulnerable Input(s):
                          [+] Name
                          [+] Friend Name
                          [+] Titel Header

Vulnerable Parameter(s):
                          [+] name normal_font
        [+] facebook friend name
        [+] alt_header_font title


Note: the vulnerability also affect the mobile applications and can be synced with the fuelband. Maybe the bug is also located in other panels!


Proof of Concept:
=================
The persistent input validation vulnerability can be exploited by privileged user accounts with low required user inter action & nike+ sync.
For demonstration or reproduce ...

Review: name normal_font

<li id="nav_profile" class="button">
<a href="/plus/profile/rem0ve23/">
<div class="avatar">
</div>
<div class="desc">
<div class="name normal_font">
<[PERSISTENT INJECTED SCRIPT CODE!]">
<
</div>


Input:     http://nikeplus.nike.com/plus/profile/keymaster137/
Output:   http://nikeplus.nike.com/plus/




Review: alt_header_font title

<div class="alt_header_font title no_results">ZU >"<[PERSISTENT INJECTED SCRIPT CODE!]"> WURDE KEIN EINTRAG GEFUNDEN</iframe></div>

Input: https://secure-nikeplus.nike.com/plus/friends/[USERNAME]/#nike


Solution:
=========
The first vulnerability can be patched by parsing the username input (profile) & the affected output listing (index).
The secound vulnerability can be patched by parsing the invited friend facebook name listing (output).
The third vulnerability can be patched by parsing the the search input field and output listing (results) to`zu. 


Risk:
=====
The security risk of the persistent input validation vulnerabilities are estimated as medium(+)|(-)high.



#  0day.today [2018-01-01]  #