information – 比翼鳥資訊 – 在天願作比翼鳥在地願為連理枝

Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

(1) WebSite:
google.com

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results.

The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy." (Wikipedia)

(2) Vulnerability Description:

Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability exists at “Logout?" page with “&continue" parameter, i.e.

https://www.google.com/accounts/Logout?service=writely&continue=https://googleads.g.doubleclick.net

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.

(2.1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google’s Ad System)

(2.2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.

Vulnerable URL:
https://www.google.com/accounts/Logout?service=writely&continue=https://google.com/

POC:
https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.inzeed.com%2Fkaleidoscope

POC Video:
https://www.youtube.com/watch?v=btuSq89khcQ&feature=youtu.be

Blog Detail:
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html
http://seclists.org/fulldisclosure/2014/Nov/29
http://cxsecurity.com/issue/WLB-2014110106
http://tetraph.blog.163.com/blog/static/23460305120141145350181/
https://infoswift.wordpress.com/2014/05/25/google-web-security/
http://tetraph.tumblr.com/post/119490394042/securitypost#notes
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html
http://webtech.lofter.com/post/1cd3e0d3_706af10
https://twitter.com/tetraphibious/status/559165319575371776
http://tetraph.com/security/covert-redirect/google-based-on-googleads-g-doubleclick-net/
http://www.inzeed.com/kaleidoscope/computer-security/google-covert-g-doubleclick-net/
https://hackertopic.wordpress.com/2014/05/25/google-web-security/

Attachments area
Preview YouTube video Google Covert Redirect Vulnerability Base Googleads.g.doubleclick.net – Bypass Open Redirect Filters

Google Covert Redirect Vulnerability Base Googleads.g.doubleclick.net – Bypass Open Redirect Filters

Comsenz SupeSite CMS Stored XSS (Cross-site Scripting) Security Vulnerabilities

computer pitch

Comsenz SupeSite CMS 7.0 Stored XSS (Cross-site Scripting) Security Vulnerabilities

Exploit Title: Comsenz SupeSite CMS 7.0 Stored XSS Security Vulnerabilities

Product: Supesite CMS (Content Management System)

Vendor: ComSenz

Vulnerable Versions: 6.0.1UC 7.0

Tested Version: 7.0

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Discover and Reporter: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

Proposition Details:

(1) Vendor & Product Description:

Vendor:

Comsenz

Product & Vulnerable Versions:

SupeSite 6.0.1UC

SupeSite 7.0

Vendor URL & Download:

SupeSite can be brought from here,

http://www.comsenz.com/products/other/supesite

http://www.comsenz.com/downloads/install/supesite#down_open

Source code:

http://www.8tiny.com/source/supesite/nav.html?index.html

Product Introduction Overview:

“SupeSite is an independent content management (CMS) function, and integrates Web2.0 community personal portal system X-Space, has a strong aggregation of community portal systems. SupeSite station can be achieved within the forum…

View original post 詳見內文：約297字

Webs ID Reflected XSS (Cross-site Scripting) Security Vulnerabilities

computer pitch

Webs ID Reflected XSS (Cross-site Scripting) Security Vulnerabilities

Exploit Title: Webs ID /login.jsp &error Parameter Reflected XSS (Cross-site Scripting) Security

Vendor: Webs, Inc

Product: Webs ID

Vulnerable Versions:

Tested Version:

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

Proposition Details:

(1) Vendor & Product Description:

Vendor:

Webs, Inc

Product & Vulnerable Versions:

Webs ID

Vendor URL & download:

Webs ID can be obtained from here,

http://www.webs.com

http://www.webs.com/blog/2010/04/20/new-easier-way-to-manage-websid-account-settings/

Terms of Service Overview:

" The services offered by Webs, Inc. (“Webs" or “us" or “we" or “our") include the websites at http://www.webs.com and http://www.freewebs.com as well as any other related websites, toolbars, widgets, or other distribution channels we may, from time to…

View original post 詳見內文：約485字

NetCat CMS 3.12 HTML Injection Security Vulnerabilities

computer pitch

NetCat CMS 3.12 HTML Injection Security Vulnerabilities

Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Improper Input Validation [CWE-20]

CVE Reference: *

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Discover and Reporter: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

Advisory Details:

(1) Vendor & Product Description:

Vendor:

NetCat

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Vendor URL & Download:

NetCat can be downloaded from here,

http://netcat.ru/

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card" with a minimum content to…

View original post 詳見內文：約362字

NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities

computer pitch

NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities

Exploit Title: NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 14, 2015

Latest Update: April 14, 2015

Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) [CWE-22]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Discovert and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

Advisory Details:

(1) Vendor & Product Description:

Vendor:

NetCat

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Vendor URL & Download:

NetCat can be obtained from here,

http://netcat.ru/

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from…

View original post 詳見內文：約373字

Opoint Media Intelligence Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

computer pitch

Opoint Media Intelligence Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

Exploit Title: Opoint Media Intelligence click.php? &noblink parameter URL Redirection Security Vulnerabilities

Vendor: Opoint

Product: Opoint Media Intelligence

Vulnerable Versions:

Tested Version:

Advisory Publication: April 14, 2015

Latest Update: April 14, 2015

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

Discover and Writer: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore]

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

Opoint

Product & Version:

Opoint Media Intelligence

Vendor URL & Download:

Opoint Media Intelligence can be got from here,

http://www.opoint.com/index.php?page=home

Product Introduction Overview:

“Today, some libraries want to enhance their online presence in ways that go beyond the traditional OPAC and the “library portal" model to better integrate the latest Web functionality. With Opoint Media Intelligence…

View original post 詳見內文：約417字

Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security Vulnerabilities

Hacker Research Topics

Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security Vulnerabilities

Exploit Title: Proverbs Web Calendar /calendar.php Multiple Parameters XSS (Cross-site Scripting) Security Vulnerabilities

Vendor: Proverbs

Product: Proverbs Web Calendar

Vulnerable Versions: 1.0.0 1.1 1.2.2 2.1 2.1.2

Tested Version: 1.2.2 2.1

Advisory Publication: April 03, 2015

Latest Update: April 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

Proverbs

Product & Vulnerable Versions:

Proverbs Web Calendar

1.0.0

1.1

1.2.2

2.1

2.1.2

Vendor URL:

http://www.proverbs.biz/

Download:

Proverbs Web Calendar can be obtained from here,

http://www.proverbsllc.com/demos/calendar/calendar.php

http://www.hotscripts.com/listing/proverbs-web-calendar/

http://www.c-point.com/free_php_scripts/calendar.php

http://www.html.it/articoli/proverbs-php-web-calendar-v-100-1/

Product Introduction Overview:

“This is a web event calendar developed using PHP and powered by MySQL. The calendar is viewed in month format initially with a…

View original post 詳見內文：約166字

6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities

Hacker Research Topics

6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities

Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

6kbbs

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

Vendor URL & download:

6kbbs can be obtained from here,

http://www.6kbbs.com/download.html

http://code.google.com/p/6kbbs/downloads/list

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability…

View original post 詳見內文：約315字

6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Hacker Research Topics

6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 02, 2015

Latest Update: April 02, 2015

Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]

CVE Reference: *

CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

6kbbs

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

Vendor URL & download:

6kbbs can be gain from here,

http://www.6kbbs.com/download.html

http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/

Product Introduction Overview:

View original post 詳見內文：約407字

6kbbs v8.0 SQL Injection Security Vulnerabilities

Hacker Research Topics

6kbbs v8.0 SQL Injection Security Vulnerabilities

Exploit Title: 6kbbs Multiple SQL Injection Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: April 01, 2015

Latest Update: April 01, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]

Suggestion Details:

(1) Vendor & Product Description:

Vendor:

6kbbs

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

Vendor URL & download:

6kbbs can be obtained from here,

http://www.6kbbs.com/download.html

http://www.bvbcode.com/code/93n8as2z-down

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but…

View original post 詳見內文：約247字