OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities


Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web  Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: April 15, 2015
Latest Update: April 15, 2015
Vulnerability Type: Improper Input Validation [CWE-20]
CVE Reference: *
OSVDB Reference: 120807
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)







Advisory Details:


(1) Vendor & Product Description:


Vendor:
NetCat



Product & Vulnerable Version:
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1



Vendor URL & Download:
NetCat can be downloaded from here,
http://netcat.ru/




Product Introduction Overview:
NetCat.ru is russian local company. "NetCat designed to create an absolute majority of the types of sites: from simple "business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data - in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."







(2) Vulnerability Details:
NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. "Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What's more, you can now subscribe to an RSS feed containing the specific tags that you are interested in - you will then only receive alerts related to those tags." It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.






(2.1) The programming code flaw occurs at "/catalog/search.php?" page with "&q" parameter.









Related Articles:
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1843
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01922.html
http://cxsecurity.com/search/author/DESC/AND/FIND/1/10/Wang+Jing/
https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=1
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/242232054201551434123334/
http://russiapost.blogspot.ru/2015/06/netcat-html-injection.html
https://inzeed.wordpress.com/2015/04/21/netcat-html-injection/
http://computerobsess.blogspot.com/2015/06/osvdb-120807.html
http://blog.163.com/greensun_2006/blog/static/11122112201551434045926/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html/
http://germancast.blogspot.de/2015/06/netcat-html-injection.html
http://diebiyi.com/articles/security/netcat-cms-3-12-html-injection/

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities


Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: March 07, 2015
Latest Update: March  07, 2015
Vulnerability Type: Improper Neutralization of CRLF Sequences ('CRLF Injection') [CWE-93]
CVE Reference: *
OSVDB Reference: 119342, 119343
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)







Advisory Details:


(1) Vendor & Product Description:


Vendor:
NetCat


Product & Version:
NetCat
5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


Vendor URL & Download:
NetCat can be got from here,
http://netcat.ru/


Product Introduction:
NetCat.ru is russian local company. "NetCat designed to create an absolute majority of the types of sites: from simple "business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data - in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section."

"Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000."





(2) Vulnerability Details:
NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at "/post.php" page with "redirect_url" parameter by adding "%0d%0a%20".

(2.2) The second code flaw occurs at "redirect.php?" page with "url" parameter by adding "%0d%0a%20".










References:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676

http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple-http-re
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities


Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)





Recommendation Details:


(1) Vendor & Product Description:


Vendor:
6kbbs



Product & Vulnerable Versions:
6kbbs
v7.1
v8.0



Vendor URL & download:
6kbbs can be gain from here,
http://www.6kbbs.com/download.html




Product Introduction Overview:
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user's preferred utility functions. Forum Technical realization (a) interface : using XHTML + CSS structure, so the structure of the page , easy to modify the interface ; save the transmission static page code , greatly reducing the amount of data transmitted over the network ; improve the interface scalability , more in line with WEB standards, support Internet Explorer, FireFox, Opera and other major browsers. (b) Program : The ASP + ACCESS mature technology , the installation process is extremely simple , the environment is also very common."


"(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b) Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent community forum process . The program is simple but not simple ; fast , small ; interface generous and good scalability ; functional and practical . pursue superiority , good interface , practical functions of choice for subscribers."





(2) Vulnerability Details:
6kbbs web application has a computer security problem. It can be exploited by weak encryption attacks. The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.


Several 6kbbs products 0-day web cyber bugs have been found by some other bug hunter researchers before. 6kbbs has patched some of them. "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the web securities have been published here.




Source Code:
<?php
if(empty($row)){
        $extrow=$db->row_select_one("users","username='{$username}'");
        if(!empty($extrow) && !empty($extrow['salt'])){
                if(md5(md5($userpass).$extrow['salt'])==$extrow['userpass']){
                        $row=$extrow;
                        $new_row["userpass"]=$userpass_encrypt;
                        $new_row["salt"]="";
                        $db->row_update("users",$new_row,"id={$extrow['id']}");
                }
        }
}
?>



Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16


We can see that "userpass" stored in cookie was encrypted using "$userpass" user password directly. And there is no "HttpOnly" attribute at all. Since md5 is used for the encryption, it is easy for hackers to break the encrypted message.


"The MD5 message-digest cryptography algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. Papers about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile, researchers focusing on it spread in Computer Science, Computer Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. The source code in RFC 1321 contains a "by attribution" RSA license." (Wikipedia)









References:
http://seclists.org/fulldisclosure/2015/Jun/34
http://lists.openwall.net/full-disclosure/2015/06/11/6
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02160.html
https://packetstormsecurity.com/files/132270/6kbbs-7.1-8.0-Weak-Cryptography.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2092
http://tetraph.blog.163.com/blog/static/234603051201551415853846/#
http://essaybeans.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://mathfas.wordpress.com/2015/06/14/6kbbs-weak-encryption/
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://vulnerabilitypost.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/
http://www.inzeed.com/kaleidoscope/computer-security/6kbbs-v8-0-weak-encryption/

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

CVE-2014-8753  Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Instruction Details:

(1) Vendor & Product Description:

Vendor:

Cit-e-Net

Product & Version: 

Cit-e-Access

Version 6

Vendor URL & Download: 

Cit-e-Net can be downloaded from here,

https://www.cit-e.net/citeadmin/help/cntrainingmanualhowto.pdf

http://demo.cit-e.net/

http://www.cit-e.net/demorequest.cfm

http://demo.cit-e.net/Cit-e-Access/ServReq/?TID=1&TPID=17

Product Introduction:

"We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.

Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It's your choice! Please contact us at info@cit-e.net to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services. 

Interactive Applications
Online Service Requests
Online Tax Payments by ACH electronic-check or credit card.
Online Utility Payments by  ACH electronic-check or credit card.
Online General-Payments by ACH electronic-check or credit card.
Submit Volunteer Resume's Online for the municipality to match your skills with available openings."

(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities and cyber intelligence.

(2.1) The first programming code flaw occurs at "/eventscalendar/index.cfm?" page with "&DID" parameter in HTTP GET.

(2.2) The second programming code flaw occurs at "/search/index.cfm?" page with "&keyword" parameter in HTTP POST.

(2.3) The third programming code flaw occurs at "/news/index.cfm" page with "&jump2" "&DID" parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at "eventscalendar?" page with "&TPID" parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at "/meetings/index.cfm?" page with "&DID" parameter in HTTP GET.

(3) Solutions:

Leave message to vendor. No response.

http://www.cit-e.net/contact.cfm

References:
http://seclists.org/fulldisclosure/2015/Feb/48
http://lists.openwall.net/full-disclosure/2015/02/13/2
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1587

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01683.html

https://computerpitch.wordpress.com/2015/06/07/cve-2014-8753/

http://webtechhut.blogspot.com/2015/06/cve-2014-8753.html

https://www.facebook.com/websecuritiesnews/posts/804176613035844

https://twitter.com/tetraphibious/status/607381197077946368

http://biboying.lofter.com/post/1cc9f4f5_7356826

http://shellmantis.tumblr.com/post/120903342496/securitypost-cve-2014-8753

http://itprompt.blogspot.com/2015/06/cve-2014-8753.html

http://whitehatpost.blog.163.com/blog/static/24223205420155710559404/

https://plus.google.com/u/0/113115469311022848114/posts/FomMK9BGGx2

https://www.facebook.com/pcwebsecurities/posts/702290949916825

http://securitypost.tumblr.com/post/120903225352/cve-2014-8753-cit-e-net

http://webtech.lofter.com/post/1cd3e0d3_7355910

http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://diebiyi.com/articles/security/cve-2014-8753/

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities

Domain:

http://espn.go.com/

"ESPN (originally an acronym for Entertainment and Sports Programming Network) is a U.S.-based global cable and satellite television channel that is owned by ESPN Inc., a joint venture between The Walt Disney Company (which operates the network, through its 80% controlling ownership interest) and Hearst Corporation (which holds the remaining 20% interest). The channel focuses on sports-related programming including live and recorded event telecasts, sports news and talk shows, and other original programming.

ESPN broadcasts primarily from studio facilities located in Bristol, Connecticut. The network also operates offices in Miami, New York City, Seattle, Charlotte, and Los Angeles. John Skipper currently serves as president of ESPN, a position he has held since January 1, 2012. While ESPN is one of the most successful sports networks, it has been subject to criticism, which includes accusations of biased coverage, conflict of interest, and controversies with individual broadcasters and analysts. ESPN headquarters in Bristol, Connecticut. As of February 2015, ESPN is available to approximately 94,396,000 paid television households (81.1% of households with at least one television set) in the United States. In addition to the flagship channel and its seven related channels in the United States, ESPN broadcasts in more than 200 countries, operating regional channels in Australia, Brazil, Latin America and the United Kingdom, and owning a 20% interest in The Sports Network (TSN) as well as its five sister networks and NHL Network in Canada."(Wikipedia)

Vulnerability description:

Espn.go.com has a cyber security bug problem. It is vulnerable to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open Redirect) attacks.

Those vulnerabilities are very dangerous. Since they happen at ESPN's "login" & "register" pages that are credible. Attackers can abuse those links to mislead ESPN's users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN's links are vulnerable to those attacks.

The programming code flaw occurs at "espn.go.com"'s "login?" & "register" pages with "redirect" parameter, i.e.

http://streak.espn.go.com/en/login?redirect=

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com

http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=

https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/

Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8.

Disclosed by:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.  (@justqdjing)

http://www.tetraph.com/wangjing/

"The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and Open Redirect vulnerabilities and cyber intelligence recommendations.

(1) XSS Web Security Vulnerability

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

• Identity theft
• Accessing sensitive or restricted information
• Gaining free access to otherwise paid for content
• Spying on user’s web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Web application defacement
• Denial of Service attacks

Vulnerable URLs:

http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459

http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=reddit

https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login

POC:

http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459"><img src=x onerror=prompt('justqdjing')>

https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=espn"><img src=x onerror=prompt('justqdjing')>

http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate"><img src=x onerror=prompt('justqdjing')>

https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login"><img src=x onerror=prompt('justqdjing')>

Poc Video:

https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be

Blog Detail:

http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss.html

(2) Dest Redirect Privilege Escalation Vulnerability Web Security Vulnerability

From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Use one of webpages for the following tests. The webpage address is "https://computerpitch.wordpress.com/". Suppose that this webpage is malicious.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

(2.1) Login Page  Dest Redirect Privilege Escalation Vulnerability

Vulnerable URL 1:

https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

POC:

https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com

Vulnerable URL 2:

http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828

POC:

http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com

(2.2) Vulnerabilities Attacked without User Login

Vulnerable URL 1:

http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112

POC:

http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=http%3A%2F%2Fdiebiyi.com?

This vulnerability was used to demonstrate "Covert Redirect" of Facebook,

Poc Video:

https://www.youtube.com/watch?v=HUE8VbbwUms

Blog Detail:

http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/

Vulnerable URL 2:

http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Freddit%2Fbing%2Ftmallstatus%2Ftmall541002332331606017

POC:

http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=http%3A%2F%2Fgoogle.com

Vulnerable URL 3:

http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=https%3A%2F%2Ftwitter.com%2FYahoo%2Fhao123%2Fstatus%2Fyandex%2F%2Fru%2F541950359917580289

POC:

http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=http%3A%2F%2Fgoogle.com

Poc Video:

https://www.youtube.com/watch?v=lCvBt8Elj9w&feature=youtu.be

Blog Detail:

http://securityrelated.blogspot.sg/2014/12/espn-espn.html

(3) Those security problems were reported to ESPN in early 2014. However, they are still unpatched.

More Details:
http://seclists.org/fulldisclosure/2014/Dec/36
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01417.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1303

http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register
http://diebiyi.com/articles/security/espn-xss-open-redirect/
https://infoswift.wordpress.com/2014/12/30/espn-are-suffering-serious-xss-and-dest
http://webcabinet.tumblr.com/post/118510631147/espn-are-suffering-serious-xss
https://www.facebook.com/permalink.php?story_fbid=435630669942495
http://guyuzui.lofter.com/post/1ccdcda4_6e6b17e
http://mathswift.blogspot.com/2015/05/espn-are-suffering-serious-xss-and-dest.html
http://inzeed.tumblr.com/post/120775132901/espn-xss-open-redirect

http://ittechnology.lofter.com/post/1cfbf60d_730f11d

http://whitehatpost.blog.163.com/blog/static/2422320542015551014553/

https://zuiyuxiang.wordpress.com/2014/12/19/espn-xss-open-redirect/

https://www.facebook.com/permalink.php?story_fbid=1631949187023558

https://twitter.com/tetraphibious/status/606824322896785408

https://plus.google.com/u/0/110001022997295385049/posts/TBiJP5A3CXg

http://xingzhehong.lofter.com/post/1cfd0db2_6e68fe3

http://www.tetraph.com/blog/computing-science/espn-xss-open-redirect/