CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: InstantForum.NET

Vendor: InstantASP

Vulnerable Versions: v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0

Tested Version: v4.1.3 v4.1.1 v4.1.2

Advisory Publication: February 18, 2015

Latest Update: April 05, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9468

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Preposition Details:

(1) Vendor & Product Description:

Vendor:

InstantASP

Product & Version:

InstantForum.NET

v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0

Vendor URL & Download:

InstantForum.NET can be purchased from here,

http://docs.instantasp.co.uk/InstantForum/default.html?page=v413tov414guide.html

Product Introduction Overview:

“InstantForum.NET is a feature rich, ultra high performance ASP.NET & SQL Server discussion forum solution designed to meet the needs of the most demanding online communities or internal collaboration environments. Now in the forth generation, InstantForum.NET has been completely rewritten from the ground-up over several months to introduce some truly unique features & performance enhancements.”

“The new administrator control panel now offers the most comprehensive control panel available for any ASP.NET based forum today. Advanced security features such as role based permissions and our unique Permission Sets feature provides unparalleled configurable control over the content and features that are available to your users within the forum. Moderators can easily be assigned to specific forums with dedicated moderator privileges for each forum. Bulk moderation options ensure even the busiest forums can be managed effectively by your moderators.”

“The forums template driven skinning architecture offers complete customization support. Each skin can be customized to support a completely unique layout or visual appearance. A single central style sheet controls every aspect of a skins appearance. The use of unique HTML wrappers and ASP.NET 1.1 master pages ensures page designers can easily integrate an existing design around the forum. Skins, wrappers & master page templates can be applied globally to all forums or to any specific forum.”

(2) Vulnerability Details:

InstantForum.NET web application has a cyber security bug problem. It can be exploited by stored XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. InstantForum has patched some of them. BugScan is the first community-based scanner, experienced five code refactoring. It has redefined the concept of the scanner provides sources for the latest info-sec news, tools, and advisories. It also publishs suggestions, advisories, cyber intelligence, attack defense and solutions details related to important vulnerabilities.

(2.1) The first programming code flaw occurs at “&SessionID” parameter in “Join.aspx?” page.

(2.2) The second programming code flaw occurs at “&SessionID” parameter in “Logon.aspx?” page.

References:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9468

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9468

http://packetstormsecurity.com/files/authors/11717

http://marc.info/?a=139222176300014&r=1&w=4

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://lists.openwall.net/full-disclosure/2015/02/18/7

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1608

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01704.html

http://seclists.org/fulldisclosure/2015/Feb/70

https://mathfas.wordpress.com/2015/05/13/cve-2014-9468/

http://www.tetraph.com/blog/cves/cve-2014-9468/

https://www.facebook.com/tetraph/posts/1650055075214452

http://computerobsess.blogspot.com/2015/05/cve-2014-9468-instantasp.html

http://tetraph.blogspot.com/2015/05/cve-2014-9468.html

http://guyuzui.lofter.com/post/1ccdcda4_6f0ba81

https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts/R3Mc7T4zxTj

https://www.facebook.com/permalink.php?story_fbid=1623694467849030&id=1567915086760302

https://twitter.com/justqdjing/status/598424496396046336

http://tetraph.tumblr.com/post/118852991427/cve-2014-9468-instantasp-instantforum-net-multiple

http://mathdaily.lofter.com/post/1cc75b20_6f10e07

https://tetraph.wordpress.com/2015/05/13/cve-2014-9468/

http://whitehatview.tumblr.com/post/118853357881/tetraph-cve-2014-9468-instantasp

CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: vBulletin XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: vBulletin Forum

Vendor:vBulletin

Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4

Tested Version:5.1.3 4.2.2

Advisory Publication: February 12, 2015

Latest Update:February 26, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-9469

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Writer and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Preposition Details:

(1) Vendor & Product Description:

Vendor:

vBulletin

Product & Version:

vBulletin Forum

5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4

Vendor URL & Download:

vBulletin can be acquired from here,

https://www.vbulletin.com/purchases/

Product Introduction Overview:

“vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server.”

Since the initial release of the vBulletin forum product in 2000, there have been many changes and improvements. Below is a list of the major revisions and some of the changes they introduced. The current production version is 3.8.7, 4.2.2, and 5.1.3.

Simplified site set up and customization

The new Site Builder makes it easier than ever to build and manage a site. Customizable page templates, drag-and-drop configuration and in-line site editing simplify page layout. A variety of design themes can be easily selected.

Dynamic tools for content discovery

Customizable content modules provide enhanced content discovery, engaging users into deeper site visits. The vBulletin search has been re-architected to significantly improve the quality of its results, further facilitating content discovery.

Sleek new UI features activity stream and increased social engagement

Improved social functionality includes groups, new user profiles, comments functionality, an integrated messaging hub, social content curation, real-time updates and more.

Expanded photo and video capabilities

The new interface invites users to quickly post photos and video, expanding content on vBulletin sites. This media is then leveraged by being better integrated with the rest of a site’s content. User profiles provide an engaging aggregation of all media posted by them.

Category-leading mobile optimization

The integrated mobile-optimized version ensures smartphone visitors will stay longer and return.

Robust architecture

Improved architecture provides better performance and easier customization

Built-in SEO helps maximize search traffic

Easy-to-use upgrader tool available for vBulletin 3 and 4 sites, plus importer for sites on other forum software”

(2) Vulnerability Details:

vBulletin web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. vBulletion has patched some of them. Gmane (pronounced “mane”) is an e-mail to news gateway. It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list’s inclusion on the service. It has published suggestions, advisories, solutions related to important vulnerabilities.

(2.1) The programming code flaw occurs at “forum/help” page. Add “hash symbol” first. Then add script at the end of it.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9469

http://packetstormsecurity.com/files/authors/11270

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://lists.openwall.net/full-disclosure/2015/02/13/3

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01684.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1588

http://seclists.org/fulldisclosure/2015/Feb/49

https://www.facebook.com/permalink.php?story_fbid=880689078636904&id=825031907535955&__mref=message_bubble

http://shellmantis.tumblr.com/post/118777939056/lifegrey-cve-2014-9469-vbulletin-xss#notes

http://www.tetraph.com/blog/xss-vulnerability/cve-2014-9469-vbulletin-xss/

http://testingcode.lofter.com/post/1cd26eb9_6eec951

https://www.facebook.com/permalink.php?story_fbid=661392814005834&id=594347777377005&__mref=message_bubble

http://tetraph.blogspot.com/2015/05/cve-2014-9469-vbulletin-xss-cross-site.html

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2014-9469-vbulletin-xss/

https://twitter.com/justqdjing/status/598116948245807105

https://www.facebook.com/computersecurities/posts/375780759275383?http://tetraph.lofter.com/post/1cc758e0_6eeac27

https://plus.google.com/102963385033389079817/posts/1ACxSMZYmCS

http://computerobsess.blogspot.com/2015/05/cve-2014-9469-vbulletin-xss-cross-site.html

CVE-2015-1475 – My Little Forum Multiple XSS Web Security Vulnerabilities

CVE-2015-1475 – My Little Forum Multiple XSS Web Security Vulnerabilities

Exploit Title: My Little Forum Multiple XSS Web Security Vulnerabilities

Vendor: My Little Forum

Product: My Little Forum

Vulnerable Versions: 2.3.3 2.2 1.7

Tested Version: 2.3.3 2.2 1.7

Advisory Publication: February 04, 2015

Latest Update: February 11, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-1475

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Credit: Wang Jing [School of Mathematical Sciences (001), University of Science and Technology of China (USTC)] (@justqdjing)

Recommendation Details:

(1) Vendor & Product Description

Vendor:

My Little Forum

Product & Version:

My Little Forum

2.3.3

2.2

1.7

Vendor URL & Download:

http://mylittleforum.net/

Product Description:

“my little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL.

Features

Usenet like threaded tree structure of the messages

Different views of the threads possible (classical, table, folded)

Categories and tags

BB codes and smilies

Image upload

Avatars

RSS Feeds

Template engine (Smarty)

Different methods of spam protection (can be combined: graphical/mathematical CAPTCHA, wordfilter, IP filter, Akismet, Bad-Behavior)

Localization: language files, time zone and UTF-8 support (see current version for already available languages)”

(2) Vulnerability Details:

My Little Forum web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. My Little Forum has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to XSS vulnerabilities.

(2.1) The first programming code flaw occurs at “forum.php?” page with “&page”, “&category” parameters.

(2.2) The second programming code flaw occurs at “board_entry.php?” page with “&page”, “&order” parameters.

(2.3) The third programming code flaw occurs at “forum_entry.php” page with “&order”, “&page” parameters.

References:

http://tetraph.com/security/xss-vulnerability/my-little-forum-multiple-xss-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/02/my-little-forum-multiple-xss-security.html

http://seclists.org/fulldisclosure/2015/Feb/15

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01652.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1553

http://packetstormsecurity.com/files/authors/11270

http://marc.info/?a=139222176300014&r=1&w=4

http://lists.openwall.net/full-disclosure/2015/02/03/2

http://essaybeans.blogspot.com/2015/05/cve-2015-1475-my-little-forum-multiple.html

http://www.osvdb.org/creditees/12822-wang-jing

https://infoswift.wordpress.com/2015/05/12/cve-2015-1475-my-little-forum-multiple-xss-web-security-vulnerabilities/

https://twitter.com/tetraphibious/status/597971919892185088

http://japanbroad.blogspot.jp/2015/05/cve-2015-1475-my-little-forum-multiple.html

https://www.facebook.com/tetraph/posts/1649600031926623

http://user.qzone.qq.com/2519094351/blog/1431403836

https://www.facebook.com/permalink.php?story_fbid=460795864075109&id=405943696226993

https://plus.google.com/+wangfeiblackcookie/posts/Sj63XDPhH1j

http://essayjeans.blog.163.com/blog/static/2371730742015412037547/#

http://whitehatpost.lofter.com/post/1cc773c8_6ed5839

http://whitehatview.tumblr.com/post/118754859716/cve-2015-1475-my-little-forum-multiple-xss-web

Alle Links zu New York Times Artikel Vor 2013 anfällig für XSS-Angriffe

<span style=”font-size: medium;”><strong>Alle Links zu New York Times Artikel Vor 2013 anfällig für XSS-Angriffe</strong>
</span>

URLs, um Artikel in der New York Times (NYT) vor 2013 veröffentlicht wurden gefunden anfällig für einen XSS (Cross-Site Scripting) Angriff der Lage ist, Code im Kontext des Web-Browsers ausgeführt werden zu können.

<span style=”font-size: medium;”>
Basierend auf nytimes die Gestaltung, fast alle URLs vor 2013 sind betroffen (Alle Seiten von Artikeln). In der Tat, alle Artikel Seiten, die Schaltfläche “Drucken”, “Jede Seite” Taste enthalten, werden “Seite *” Taste “NEXT PAGE” -Taste beeinflusst.</span>

Nytimes geändert diesen Mechanismus seit 2013. Es decodiert die URLs, seine Server gesendet. Dadurch ist der Mechanismus nun viel sicherer.

Jedoch werden alle URLs vor 2013 immer noch mit dem alten Mechanismus. Das bedeutet fast allen Artikelseiten vor 2013 sind immer noch anfällig für XSS-Angriffe. Ich denke, der Grund, nytimes keine URLs filtern, bevor die Kosten. Es kostet zu viel (Geld und Humankapital), um in der Datenbank nach Artikel gepostet, bevor ändern.

Die Sicherheitslücke wurde von einem Mathematik Doktorand <a href=”http://tetraph.com/wangjing”>Wang Jing</a> von der Schule für Physikalische und Mathematische Wissenschaften (SPMS), Nanyang Technological University, Singapur.

POC und Blog Erklärung von Wang gegeben,
<a href=”https://www.youtube.com/watch?v=RekCK5tjXWQ”>https://www.youtube.com/watch?v=RekCK5tjXWQ</a>
<a href=”http://tetraph.com/security/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/”>http://tetraph.com/security/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/</a>

Unterdessen sagte Wang: “Die New York Times hat einen neuen Mechanismus jetzt angenommen. Dies ist eine bessere Schutzmechanismus.”

<strong>Auch wenn die Artikel sind alt, sind die Seiten noch relevant</strong>
Ein Angriff auf neueren Artikel würde auf jeden Fall haben erhebliche Auswirkungen gehabt, aber Artikeln von 2012 oder sogar noch älter sind alles andere als überholt. Es wäre immer noch im Rahmen eines Angriffs von Bedeutung sein.

Cyberkriminelle können verschiedene Möglichkeiten, um den Link, um potenzielle Opfer zu senden und aufzuzeichnen hohen Erfolgsraten, alle mit mehr gezielte Angriffe zu entwickeln.

<strong>Was ist XSS?</strong>
Cross-Site Scripting (XSS) ist eine Art von Computer-Sicherheitslücke in der Regel in Web-Anwendungen gefunden. XSS ermöglicht es Angreifern, clientseitige Skript in Webseiten, die von anderen Benutzern eingesehen zu injizieren. Eine Cross-Site-Scripting-Schwachstelle kann von Angreifern wie der Same Origin Policy verwendet werden, um Zugangskontrollen zu umgehen. Cross-Site Scripting auf Webseiten durchgeführt entfielen rund 84% aller Sicherheitslücken von Symantec ab 2007 dokumentiert (Wikipedia)

 
<div><strong><span style=”font-size: medium;”>Referenzen:<a href=”http://securitynewswire.com/securitynews2012/article.php?title=XSS_Risk_Found_in_Links_to_New_York_Times_Articles_Prior_to_2013″ target=”_blank”>
</a></span></strong><span style=”font-size: medium;”><a href=”http://securitynewswire.com/securitynews2012/article.php?title=XSS_Risk_Found_in_Links_to_New_York_Times_Articles_Prior_to_2013″ target=”_blank”>http://securitynewswire.com/</a></span><span style=”font-size: medium;”><a href=”http://securitynewswire.com/securitynews2012/article.php?title=XSS_Risk_Found_in_Links_to_New_York_Times_Articles_Prior_to_2013″ target=”_blank”>securitynews2012/article.php?title=XSS_Risk_Found_in_Links_to_New_York_Times_Articles_Prior_to_2013</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://www.veooz.com/news/FHb0__Q.html” target=”_blank”>http://www.veooz.com/news/<wbr />FHb0__Q.html</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://www.tomsguide.com/us/xss-flaw-ny-times,news-19784.html” target=”_blank”>http://www.tomsguide.com/us/<wbr />xss-flaw-ny-times,news-19784.<wbr />html</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://www.hotforsecurity.com/blog/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013-10555.html” target=”_blank”>http://www.hotforsecurity.com/<wbr />blog/cross-site-scripting-xss-<wbr />vulnerability-in-new-york-<wbr />times-articles-before-2013-<wbr />10555.html</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://news.softpedia.com/news/XSS-Risk-Found-In-Links-to-New-York-Times-Articles-Prior-to-2013-462334.shtml” target=”_blank”>http://news.softpedia.com/<wbr />news/XSS-Risk-Found-In-Links-<wbr />to-New-York-Times-Articles-<wbr />Prior-to-2013-462334.shtml</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://itsecuritynews.info/tag/wang-jing/” target=”_blank”>http://itsecuritynews.info/<wbr />tag/wang-jing/</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://telezkope.com/Technology/Programming/3321242/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013″ target=”_blank”>http://telezkope.com/<wbr />Technology/Programming/<wbr />3321242/cross-site-scripting-<wbr />xss-vulnerability-in-new-york-<wbr />times-articles-before-2013</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://www.tetraph.com/wangjing”>http://www.tetraph.com/wangjing</a>
</span></div>
<div><span style=”font-size: medium;”><a href=”http://news.silobreaker.com/google-doubleclicknetadvertising-system-url-redirection-vulnerabilities-can-be-used-by-spammers-5_2268368584637939712″ target=”_blank”>http://news.silobreaker.com/<wbr />google-<wbr />doubleclicknetadvertising-<wbr />system-url-redirection-<wbr />vulnerabilities-can-be-used-<wbr />by-spammers-5_<wbr />2268368584637939712</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://worldnew.org/xss-flaw-may-exist-in-the-old-new-york-times-article-pages.html” target=”_blank”>http://worldnew.org/xss-flaw-<wbr />may-exist-in-the-old-new-york-<wbr />times-article-pages.html</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://tetraph.wordpress.com/2014/11/01/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-before-2013-are-affected/” target=”_blank”>http://tetraph.wordpress.com/<wbr />2014/11/01/new-york-times-<wbr />nytimes-com-page-design-xss-<wbr />vulnerability-almost-all-<wbr />article-pages-before-2013-are-<wbr />affected/</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://tetraph.tumblr.com/post/101472580032/new-york-times-nytimes-com-page-design-xss” target=”_blank”>http://tetraph.tumblr.com/<wbr />post/101472580032/new-york-<wbr />times-nytimes-com-page-design-<wbr />xss</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://www.inzeed.com/kaleidoscope/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/” target=”_blank”>http://www.inzeed.com/<wbr />kaleidoscope/xss-<wbr />vulnerability/new-york-times-<wbr />nytimes-com-page-design-xss-<wbr />vulnerability-almost-all-<wbr />article-pages-are-affected/</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/” target=”_blank”>http://diebiyi.com/articles/%<wbr />E5%AE%89%E5%85%A8/xss-<wbr />vulnerability/new-york-times-<wbr />nytimes-com-page-design-xss-<wbr />vulnerability-almost-all-<wbr />article-pages-are-affected/</a></span></div>
<div><span style=”font-size: medium;”><a href=”http://securityrelated.blogspot.sg/2014/10/new-york-times-nytimescom-page-design.html?view=mosaic” target=”_blank”>http://securityrelated.<wbr />blogspot.com/2014/10/new-york-<wbr />times-nytimescom-page-design.<wbr />html?view=mosaic</a></span></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>

Sicherheitslücke in OAuth 2.0 und OpenID gefunden

Wang Jing, Student an der Nanyang Technological University in Singapur, hat nach dem Bekanntwerden des OpenSSL-Heartbleed-Lecks, eine weitere schwere Sicherheitslücke entdeckt, diesmal in den Authentifizierungsmethoden OAuth 2.0 und OpenID. Die als “Covert Redirect” (“Heimliche Umleitung”) benannte Sicherheitslücke ermöglicht es Angreifern, dem Nutzer einen echt aussehenden Login-Screen unterzujubeln und sich so Zugriff auf die bereitgestellten Daten zu verschaffen. Das gefährliche daran: Die Sicherheitslücke besitzt – anders als bisher bekannte Fishing-Versuche – eine legitime Domainadresse, kann also über einen Blick in die URL-Zeile des Browsers nicht oder nur sehr schwer entlarvt werden. Auf OAuth 2.0 und OpenID bieten inzwischen zahlreiche Webdienste um einen direkten Login in andere Dienste und Apps zu ermöglichen, darunter auch Google, Facebook, Microsoft und Co.

So ist es möglich, dem Nutzer eine Mail mit einem speziell präparierten Link zukommen zu lassen, ein Klick auf diesen öffnet eben wie gesagt eine legitime Adresse samt entsprechendem Logo. Autorisiert der Nutzer dann diese Anfrage und loggt sich in den Dienst ein, so werden die Daten nicht an die vermeintliche App weitergeleitet, sondern gelangen eben in den Besitz des Angreifers. Je nachdem, welche Daten abfragt werden, bekommt dieser somit also E-Mail-Adresse, Geburtsdatum, Kontaktlisten und dergleichen. Ebenso ist es möglich, den Nutzer nach dem Login auf eine beliebige Webseite, welche unter Umständen Malware verbreitet, weiterzuleiten.

Die Lösung des Problems könnte aber – wenn es überhaupt einmal eine geben sollte – eine langwierige Sache sein. Wang Jing hat bereits etliche größere Anbieter der Loginmethoden angeschrieben und über die gefundene Sicherheitslücke aufgeklärt, hierbei gab es jedoch unterschiedliche Aussagen. Im Hause Google beobachtet man das Problem, Microsoft ist sich keiner Schuld bewusst und schiebt die Sicherheitslücke an Drittanbieter ab. Lediglich Facebook scheint hier ehrlich zu sein und gibt an, dass es sich dabei um ein grundsätzliches Problem von OAuth 2.0 und OpenID handelt – möchte man nicht eine umfangreiche Whitelist mit sämtlichen nicht-schädlichen Apps pflegen, ist die Sicherheitslücke nicht “mal eben so” zu beheben. Im Grunde dürften sich sämtliche Gegenmaßnahmen negativ auf die Nutzererfahrung auswirken, was natürlich keiner der Dienste in Kauf nehmen möchte – und so bleibt es hierbei scheinbar beim “kleineren Übel” für die Anbieter.

Direktlink zum Video:

https://www.youtube.com/watch?v=HUE8VbbwUms

So bleibt eigentlich nur die Möglichkeit, auf OAuth 2.0 oder OpenID als Login-Methode für Drittanbieter Dienste und Apps zu verzichten oder genauestens darauf zu achten, auf was man klickt. Hat man keine explizite Autorisierung angestoßen, sollte man die geöffneten Tabs umgehend schließen und darauf hoffen, dass sich nicht doch irgendwo ein falscher Link eingepfercht hat.

Quelle:
http://www.blogtogo.de/sicherheitsluecke-in-oauth-2-0-und-openid-gefunden/