Ebuddy Web Messenger Disclosure / CSRF Vulnerabilities

2013-09-04T00:00:00
ID 1337DAY-ID-21198
Type zdt
Reporter Juan Carlos Garcia
Modified 2013-09-04T00:00:00

Description

Ebuddy Web Messenger suffers from index disclosure, cross site request forgery, htaccess file disclosure, and insecure credential transport vulnerabilities.

                                        
                                            ===============================================================================================================================================================================================
Ebuddy Web Messenger Index of Disclosure / htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text
===============================================================================================================================================================================================


I. VULNERABILITY
-------------------------
#Title: Ebuddy  htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text

#Vendor:httpS://www.ebuddy.com/

#Author:Juan Carlos García (@secnight)

#Follow me 
 http://www.highsec.es
Twitter:@secnight

II. DESCRIPTION
-------------------------

XMS: Free, real-time messaging app for smartphones

Unlimited messaging through your Internet connection

Message any way you want with text, pictures, videos, location and more.

Brought to you by the messaging pros at eBuddy



III. PROOF OF CONCEPT
-------------------------

Index of / Disclosure
*********************

http://web.ebuddy.com/?startsession=1



htaccess file readable
***********************

Vulnerability description
--------------------------

This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files 
are designed to be parsed by web server and should not be directly accessible. These files could contain sensitive information 
that could help an attacker to conduct further attacks. It's recommended to restrict access to this file.

Affected items

/ 

The impact of this vulnerability
---------------------------------

Sensitive information disclosure.

Request

GET /.htaccess HTTP/1.1
Cookie: language=en-GB; e_network=MASTER

Html Response
-------------

DirectoryIndex index.html ErrorDocument 404 /404.html # Turning on the rewrite engine is necessary for the following rules and features. # FollowSymLinks must be enabled for this to work. Options +FollowSymlinks RewriteEngine On # 

Rewrite "www.example.com -> example.com" RewriteCond %{HTTPS} !=on RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] RewriteRule ^(feedback/) - [L] RewriteRule ^(php/) - [L] RewriteRule ^(.*)\.php$ 

/$1.html [R=301,L] RewriteRule ^advertising/(.*)$ /advertising.html [L,R=301] RewriteRule ^iphone(.*)$ /products.html [L,R=301] RewriteRule ^android(.*)$ /products.html [L,R=301] RewriteRule ^mobile(.*)$ /products.html [L,R=301] 

RewriteRule ^ebuddy_id(.*)$ /index.html [L,R=301] RewriteRule ^webmessenger(.*)$ /index.html [L,R=301] RewriteRule ^landing/(.*)$ /picture.html [L,R=301] RewriteRule ^psp(?:/.*)?$ http://m.ebuddy.com/psp [L,R=301] # fd=1 --> force 

desktop website RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond 

%{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro|symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini|

j2me|midp-|cldc-|netfront" [NC] RewriteRule (^$|^index.html$) http://m.ebuddy.com/ [L,R=302] RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT} 

"text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro|

symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini|j2me|midp-|cldc-|netfront" [NC] RewriteRule (^picture.html$) http://m.ebuddy.com/landing.php [L,R=302] #### ## Unknown stuff #### # 

---------------------------------------------------------------------- # Better website experience for IE users # ---------------------------------------------------------------------- # Force the latest IE version, in various cases when 

it may fall back to IE7 mode # github.com/rails/rails/commit/123eb25#commitcomment-118920 # Use ChromeFrame if it's installed for a better experience for the poor IE folk Header set X-UA-Compatible "IE=Edge,chrome=1" # mod_headers can't 

match by content-type, but we don't want to send this header on *everything*... Header unset X-UA-Compatible # ---------------------------------------------------------------------- # CORS-enabled images (@crossorigin) # 

---------------------------------------------------------------------- # Send CORS headers if browsers request them; enabled by default for images. # developer.mozilla.org/en/CORS_Enabled_Image # blog.chromium.org/2011/07/using-cross-

domain-images-in-webgl-and.html # hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/ # wiki.mozilla.org/Security/Reviews/crossoriginAttribute # mod_headers, y u no match by Content-Type?! SetEnvIf 

Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS # ---------------------------------------------------------------------- # Webfont access # ---------------------------------------------------------------------- 

# Allow access from all domains for webfonts. # Alternatively you could only whitelist your # subdomains like "subdomain.example.com". Header set Access-Control-Allow-Origin "*" # 

---------------------------------------------------------------------- # Gzip compression # ---------------------------------------------------------------------- # Force deflate for mangled headers 

developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/ SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding 

"gzip,deflate" env=HAVE_Accept-Encoding # HTML, TXT, CSS, JavaScript, JSON, XML, HTC: FilterDeclare COMPRESS FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css 

FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component FilterProvider COMPRESS DEFLATE resp=Content-

Type $application/javascript FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml 

FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject 

FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $image/x-icon FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf FilterProvider COMPRESS DEFLATE 

resp=Content-Type $font/opentype FilterChain COMPRESS FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no # Legacy versions of Apache AddOutputFilterByType DEFLATE text/html text/plain text/css application/json AddOutputFilterByType 

DEFLATE application/javascript AddOutputFilterByType DEFLATE text/xml application/xml text/x-component AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml AddOutputFilterByType DEFLATE image/x-

icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype # ---------------------------------------------------------------------- # Expires headers (for better cache control) # 

---------------------------------------------------------------------- # These are pretty far-future expires headers. # They assume you control versioning with cachebusting query params like # 

HTML form without CSRF protection
********************************


Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as 
CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted
from a user that the website trusts.


Affected items

/ 
/ar 
/bg-ID 
/bs 
/cs 
/da 
/de 
/el 
/es 
/et 
/fa 
/fr 
/he 
/hu 
/id 
/is 
/it 
/ms 
/nl 
/no 
/pl 
/pt 
/pt-BR 
/ro 
/ru 
/sk 
/sl 
/sv 
/th 
/tr 
/vi 
/zh 
/zh-TW 


The impact of this vulnerability
---------------------------------
An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end 
user is the administrator account, this can compromise the entire web application.



Example

Affected items
/


Attack details
Form name: login-form
Form action: http://www.ebuddy.com/
Form method: POST

Form inputs:

username [Text]
password [Password]
remember [Checkbox]
signinoffline [Checkbox]
network [Hidden]


User credentials are sent in clear text
***************************************


Vulnerability description
------------------------
User credentials are transmitted over an unencrypted channel. 
This information should always be transferred via an encrypted channel (HTTPS) 
to avoid being intercepted by malicious users.

Affected items
--------------

/ 
/ar 
/bg-ID 
/bs 
/cs 
/da 
/de 
/el 
/es 
/et 
/fa 
/fr 
/he 
/hu 
/id 
/is 
/it 
/ms 
/nl 
/no 
/pl 
/pt 
/pt-BR 
/ro 
/ru 
/sk 
/sl 
/sv 
/th 
/tr 
/vi 
/zh 
/zh-TW 

The impact of this vulnerability
---------------------------------

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection

Example:

Affected Item

/

Attack details
Form name: login-form
Form action: http://www.ebuddy.com/
Form method: POST

Form inputs:

username [Text]
password [Password]
remember [Checkbox]
signinoffline [Checkbox]
network [Hidden]



IV. BUSINESS IMPACT
-------------------------
This type of failure Messengers line they have so many customers are extremely dangerous because they 
can be a serious impact on customers and users

V SOLUTION
------------------------
Write Secure Code


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)

Special Thnaks:Perseo

VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.

#  0day.today [2018-01-03]  #