Geonick Social Network Clickjacking / Credential Disclosure

2013.08.30
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

GEONICK SOCIAL-NETWORK Insecure crossdomain.xml file / Clickjacking: X-Frame-Options header missing / User credentials are sent in clear text Time-Line Vulnerability *********************** Multiple Advisories but NOT RESPONSE Then Full Disclosure I-VULNERABILITY ------------------------- #Title: GEONICK SOCIAL-NETWORK Insecure crossdomain.xml file / Clickjacking: X-Frame-Options header missing / User credentials are sent in clear text/ #Vendor:http://geonick.com #Author:Juan Carlos Garca (@secnight) #Follow me http://www.highsec.es http://hackingmadrid.blogspot.com Twitter:@secnight II-Introduction: ================ Geonick is a Spanish social network and a search engine that lets you find people around you or far corners that share your interests, hobbies and interests. Geonick is a free social network that offers an option some advanced features and payment. Literal : ""Because we believe in the Internet, in social relations, information sharing and the exchange of messages but we believe that all this can be based on respect for the individual, his privacy." ==================== III-PROOF OF CONCEPT ==================== Attack details -------------- Insecure crossdomain.xml file ****************************** The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml). When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) like so: <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies. Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially careful when using cross-domain policy files. Attack details -------------- The crossdomain.xml file is located at /crossdomain.xml (2) GET /crossdomain.xml HTTP/1.1 Host: geonick.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Response HTTP/1.1 200 OK Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough /2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.35 mod_fcgid/2.3.6 Last-Modified: Tue, 18 Oct 2011 19:37:56 GMT ETag: "620d41-60-4af97dc318d00" <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Clickjacking: X-Frame-Options header missing(2) *********************************************** Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. The impact of this vulnerability The impact depends on the affected web application. How to fix this vulnerability Configure your web server to include an X-Frame-Options header. User credentials are sent in clear text ***************************************** User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. Affected items / /join.php (8dc38e7512b6a37942d44d069e27a3c8) /join.php (d8028533028fdeb45b1cce8901809db6) /join.php/user=tourist /member.php (975a4a1b7430a0d8d05b765506281cce) /member.php (f15bbaf05a65fce70291e7e91f71abea) The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS). IV. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos Garca(@secnight) V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top