Vulnerability Research

 

This hack requires a numerous steps to bypasses a number of security measures taken by PayPal to protect manager.paypal.com.  Paypal were very qucik in resolving the issue

Reported on the 11th February, an XML External Entity Vulnerability was discovered

Due to the nature of the data returned (including full credit card information in plain text), only a summary of the issue is being reported.  Details are minimal and there is no screen shots.  Sorry.

Reported on the 13th February (Google closed down this vulnerability within an hour), an XML External Entity Vulnerability was discovered within Google's Public Explorer

This issue was reported on Sunday at 7:14am 2/16/2014.  At 10:09am, I received an email, back from Andrew stating they had confirmed the issue and were working on a fix.  At 4:22pm, I received another email from Andrew stating the issue had now been resolved and the vulnerability no longer present.  Pretty impressive especially when considering it was a Sunday.  If you are a customer of Shopify, you should be happy about this commitment to security.

This attack allows for a cross store (so essentially unauthenticated, as we have not authenticated to our target store) privilege escalation attack creating an administrative user on any gostorego online store.  As indicated by their own website, there are over 200,000 active stores.  This vulnerability was reported to the eBay Enterprise Bug Bounty team on Sunday 9th February 2014.  They and the Magento engineering team put out a fix for this issue extremely quickly. So pats on the back all around are deserved.  I tested the issue and tried a few work arounds, but the fix holds good.

This paper shows how to hijack existing privileged accounts and gain full administrative access to the CMS as an unauthenticated user bypassing the previous fix.  At a quick glance Version 9 does not appear to be vulnerable.  PayPal fixed the issue extremely quickly (within an hour) with their own workaround.  Excellent work by their security and dev team.

This attack will show how to read other users emails without leaving any visible trace

This attack will elevate a regular SmarterMail user to Domain Administrator

 Apparently this vulnerability never existed. Download FileStoreServlet.jar file.  This was obtained through the attack

An XSS issue within financing.paypal.com

This paper shows how to hijack existing privileged accounts and gain full administrative access to the CMS as an unauthenticated user.  A following paper will be released shortly that bypasses the security fix.

 Sitecore CMS suffers from an Insecure Direct Object Reference attack - https://www.owasp.org/index.php/Top_10_2010-A4.  This vulnerability allows for a complete compromise of the CMS and the server it is installed upon through the upload of a remote shell.

Mura CMS suffers from an Insecure Direct Object Reference attack - https://www.owasp.org/index.php/Top_10_2010-A4.  This vulnerability allows for a complete compromise of the CMS and the server it is installed upon through the upload of a remote shell.    UPDATE - A patch has now been released available here.

SmarterMail suffers from an Insecure Direct Object Reference attack - https://www.owasp.org/index.php/Top_10_2010-A4.  This vulnerability allows for a complete compromise of the mail server and the server it is installed upon through the upload of a remote shell running as NT Authority / System

Sitecores “special way” of displaying XML Controls directly allows for a Cross Site Scripting Attack – more can be achieved  with these XML Controls and will be documented in another vulnerability report


This file will be updated later, but in the meantime should you happen to come across Sitecore during a web application security assessment you may find it useful