This looks like a reflected XSS, not a code execution vulnerability as the term is commonly understood. On Tue, Apr 21, 2015 at 11:34 AM, Vulnerability Lab <
research@vulnerability-lab.com> wrote: > Document Title: > =============== > Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability > > > References (Source): > ==================== > http://ift.tt/1AZOByY > > > Release Date: > ============= > 2015-03-10 > > > Vulnerability Laboratory ID (VL-ID): > ==================================== > 1444 > > > Common Vulnerability Scoring System: > ==================================== > 8.6 > > > Product & Service Introduction: > =============================== > Do you have troubles for managing thousands of photos and videos? Do you > have any private photos or videos? Are you looking for a photo portfolio > app? > Photo Manager Pro is exactly you are looking for. Photo Manager Pro is > extremely easy to use. TP Transfer: Transfer folders and files between > computer > and device over wifi network. HTTP Transfer: Transfer files between > computer and device over wifi network. View photos in the browser. Peer to > Peer > Transfer: Directly transfer files between iPad, iPhone and iPod Touch over > wifi network. USB Transfer: Import/Export photos from/to iTunes file > sharing. > Basic Transfer: Import/Export photos from/to the Photos app. > > (Copy of the Vendor Homepage: > http://ift.tt/1DHFhEB & > http://ift.tt/1J5AUHW ) > > > Abstract Advisory Information: > ============================== > The Vulnerability Laboratory Research Team discovered a code execution > vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile > web-application. > > > Vulnerability Disclosure Timeline: > ================================== > 2015-03-10: Public Disclosure (Vulnerability Laboratory) > > > Discovery Status: > ================= > Published > > > Affected Product(s): > ==================== > Linkus > Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0 > > > Exploitation Technique: > ======================= > Remote > > > Severity Level: > =============== > Critical > > > Technical Details & Description: > ================================ > An arbitrary code execution vulnerability has been discovered in the > official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application. > The vulnerability allows remote attackers to execute malicious codes on > the application-side of the vulnerable app to compromise the > target mobile device. > > The vulnerability is located in the `folderName` value of the > `newfolder.action` module. Remote attackers are able to manipulate the > `folderName` value in the `index.html#?w=300` file POST method request to > compromise the application, user session information or connected > device components. The attacker tampers the new Folder POST method request > to exchange the regular folderName value with special crafted code. > The input context is becomes visible at the main index service or > subfolder (path). The vector of the vulnerability is located on the > application-side. > > The security risk of the arbitrary code execution vulnerability is > estimated as high with a cvss (common vulnerability scoring system) count > of 8.6. > Exploitation of the arbitrary code execution vulnerability requires no > user interaction or privileged web-application user account with password. > Successful exploitation of the vulnerability results in session hijacking, > persistent phishing, persistent external redirects and persistent > manipulation function or connected module context. > > Request Method(s): > [+] [POST] > > Vulnerable Module(s): > [+] newfolder.action > > Vulnerable Parameter(s): > [+] folderName > > Affected Module(s): > [+] Index (http://localhost:8080) > [+] Sub Category Path > > > Proof of Concept (PoC): > ======================= > The code execution vulnerability can be exploited by remote attackers > without privileged application user account or user interaction. > For security demonstration or to reproduce the vulnerability follow the > provided information and steps below to continue. > > PoC: Create Folder > >
> > > ... after surfing to the created folder > >
>
>
> > > PoC: Vulnerable Source > } > > function createFolder() { > $.ajax({ > type: 'POST', > url: 'newfolder.action', > cache: false, > dataType: 'json', > data: {folderName:$('#foldername').attr('value'), > isSubfolder:$('#is_subfolder_hidden').attr('value'), > parentFolderID:$('#parent_folder_hidden').attr('value')}, > async: false, > success: function(result) { > window.location.reload(false); > } > }); > } > > > >
Source: Gmail -> IFTTT-> Blogger
height="86" width="80">
href="browse_folder.html?folderID=2">
No comments:
Post a Comment