PAGELIME CMS jQuery Cross Site Scripting / Unencrypted __VIEWSTATE parameter / User credentials are sent in clear text / Login page password-guessing attack =================================================== Not Response Not Fixed Full Disclosure I. VULNERABILITY ------------------------- #Title: PAGELIME CMS PAGELIME CMS jQuery Cross Site Scripting / Unencrypted __VIEWSTATE parameter / User credentials are sent in clear text / Login page password-guessing attack #Vendor:http://cms.pagelime.com/CMS/Login.aspx #Author:Juan Carlos Garca (@secnight) #Follow me Twitter:@secnight II. DESCRIPTION ------------------------- PageLime is a hosted Content Management System (CMS) for designers, web agencies, and web developers. It allows you to manage text, images, and documents on your site by logging into a web-app that's hosted on our servers. The best part is that it doesn't matter where your site is hosted, it doesn't matter whether you use PHP, Java, or ASP (or no scripting platform), and you don't have to make a single change to your site architecture. III. PROOF OF CONCEPT ------------------------- jQuery Cross Site Scripting **************************** Vulnerability description --------------------------- This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3. Affected items ---------------- /linked/js/jquery/jquery.js The impact of this vulnerability ------------------------------------- Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. How to fix this vulnerability -------------------------------- Update to the latest version of jQuery. Web references -------------- jQuery 1.6.3 Released Unencrypted __VIEWSTATE parameter ********************************* /cms/login.aspx Vulnerability description ------------------------- The __VIEWSTATE parameter is not encrypted. To reduce the chance of someone intercepting the information stored in the ViewState, it is good design to encrypt the ViewState. To do this, set the machineKey validation type to 3DES. This instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption algorithm. Attack details ----------------- form name: "frmMain" form action: "Login.aspx" VIEWSTATE: "/wEPDwUKMTgxMjY1MTI5NWRk" How to fix this vulnerability ------------------------------- Open Web.Config and add the following line under the <system.web> element: <machineKey validation="3DES"/> User credentials are sent in clear text ***************************************** /cms/login.aspx /cms/login.aspx (4cc8ecea42c4617e027d8b851edda7cc) User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS). Login page password-guessing attack *********************************** /cms/login.aspx A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more information about fixing this problem. Attack Details -------------- Tested 10 invalid credentials and no account lockout was detected. POST /cms/login.aspx HTTP/1.1 ctlLogin%24btnLogin=Login&ctlLogin%24btnResetPassword=Reset%20Password&ctlLogin%24hdnHashValue=&ctlLogin%24txtEmail=PmenOCN2%40cms.pagelime.com&ctlLogin%24txtForgotPasswordEmail=sample%40email.tst&ctlLogin %24txtPassword=qFh0EThN&__EVENTVALIDATION=%2fwEWBwKBjI%2bBBQLz36bfDwLG5PUzAqSqy6IPAteqpu0GAuC699oKAor8x9QJ&__VIEWSTATE= %2fwEPDwUKMTgxMjY1MTI5NQ9kFgICAw9kFgICAQ9kFgJmD2QWAgIFDw8WCB4IQ3NzQ2xhc3MFA3JlZB4EVGV4dAU4V2UgY291bGQgbm90IGZpbmQgdGhlIHNwZWNpZmllZCBlbWFpbC4gUGxlYXNlIHRyeSBhZ2Fpbi4eBF8hU0ICAh4HVmlzaWJsZWdkZGQ%3d The impact of this vulnerability ---------------------------------- An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination that works. How to fix this vulnerability -------------------------------- It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. IV. BUSINESS IMPACT ------------------------- This type of failure Banks On line they have so many customers are extremely dangerous because they can be a serious impact on customers. No bank can have bugs in the code. Customer trust can be affected V SOLUTION ------------------------ Secure Code and Update JQuery VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos Garca(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.