All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks 

(1) Domain Description:

http://www.indiatimes.com

"The Times of India (TOI) is an Indian English-language daily newspaper. It is the third-largest newspaper in India by circulation and largest selling English-language daily in the world according to Audit Bureau of Circulations (India). According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership. It is owned and published by Bennett, Coleman & Co. Ltd. which is owned by the Sahu Jain family. In the Brand Trust Report 2012, Times of India was ranked 88th among India's most trusted brands and subsequently, according to the Brand Trust Report 2013, Times of India was ranked 100th among India's most trusted brands. In 2014 however, Times of India was ranked 174th among India's most trusted brands according to the Brand Trust Report 2014, a study conducted by Trust Research Advisory." (en.Wikipedia.org)

(2) Vulnerability description:

The web application indiatimes.com online website has a security problem. Hacker can exploit it by XSS bugs.

The code flaw occurs at Indiatimes's URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes's "photogallery" and "top-llists" topics are affected. 

Indiatimes uses part of the links under "photogallery" and "top-llists" topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (12.04) and Microsoft IE (9.0.15) in Windows 7.

POC Codes:

http://www.indiatimes.com/photogallery/">homeqingdao<img src=x onerror=prompt('justqdjing')>

http://www.indiatimes.com/top-lists/">singaporemanagementuniversity<img src=x onerror=prompt('justqdjing')>

http://www.indiatimes.com/photogallery/lifestyle/">astar<img src=x onerror=prompt('justqdjing')>

http://www.indiatimes.com/top-lists/technology/">nationaluniversityofsingapore<img src=x onerror=prompt('justqdjing')>

POC Video:

https://www.youtube.com/watch?v=EeJWu8_5BKU&feature=youtu.be

Blog Details:

http://securityrelated.blogspot.com/2014/11/two-topics-of-indiatimes-indiatimescom.html

What is XSS?
"Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." (OWASP)





(3) Vulnerability Disclosure:

The vulnerabilities were reported to Indiatimes in early September, 2014. However they are still unpatched.

Discovered and Reported by:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://www.tetraph.com/wangjing/

Related Articles:
http://seclists.org/fulldisclosure/2014/Nov/91
http://lists.openwall.net/full-disclosure/2014/11/27/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1256
https://progressive-comp.com/?l=full-disclosure&m=141705615327961&w=1

http://tetraph.blog.163.com/blog/static/234603051201501352218524/
http://www.techworm.net/2014/12/times-india-website-vulnerable-xss
https://cxsecurity.com/issue/WLB-2014120004
https://vulnerabilitypost.wordpress.com/2014/12/04/indiatimes-xss
http://diebiyi.com/articles/security/all-links-in-two-topics-of-indiatimes
http://www.inzeed.com/kaleidoscope/computer-security/all-links-in-two-topics-of-indiatimes
http://itsecurity.lofter.com/post/1cfbf9e7_54fc6c9
http://computerobsess.blogspot.com/2014/12/all-links-in-two-topics-of-indiatimes.html

http://whitehatview.tumblr.com/post/104310651681/times-of-india-website-vulnerable-to
http://www.tetraph.com/blog/computer-security/all-links-in-two-topics-of-indiatimes

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness

CVE-2014-7291  Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness

Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Security Weakness
Product: LibCal
Vendor: Springshare
Vulnerable Versions: 2.0
Tested Version: 2.0
Advisory Publication: Nov 25, 2014
Latest Update: Nov 25, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7291
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Solution Status: Fixed by Vendor
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]








Recommendation Details:


(1) Vendor & Product Description:


Vendor:
Springshare


Product & Vulnerable Versions:
LibCal
2.0

Vendor URL & download:

http://springshare.com/libcal/ 


Product Introduction Overview:
“LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations."

    "Manage Calendar & Event Registrations
    Create custom Registration Forms
    Manage Consultation Appointments"
    Create an Online Room Booking System
    Display Library & Departmental Hours
    Share Calendar/Event Info via Widgets"





(2) Vulnerability Details:
Springshare LibCal web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.


(2.1) The first code programming flaw  occur at “/api_events.php?” page, with “&m” and “&cid” parameters.







(3) Solutions:
2014-10-01: Report vulnerability to Vendor
2014-10-15: Vendor replied with thanks and vendor changed the source code

References:

https://cxsecurity.com/issue/WLB-2014120002

http://tetraph.com/security/cves/cve-2014-7291-springshare-libcal-xss-cross-site-scripting-vulnerability/

http://seclists.org/fulldisclosure/2014/Nov/90

http://packetstormsecurity.com/files/129289/Springshare-LibCal-2.0-Cross-Site-Scripting.html

http://www.securityfocus.com/bid/71319

http://www.scap.org.cn/CVE-2014-7291.html

http://whitehatpost.blog.163.com/blog/static/2422320542014112982712/#

http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014110532

http://blog.livedoor.jp/dvw_j/archives/42129940.html

http://www.cnvd.org.cn/flaw/show/CNVD-2014-08568

http://marc.info/?l=full-disclosure&m=141705590727919&w=4

http://www.inzeed.com/kaleidoscope/cves/cve-2014-7291-springshare-libcal-xss-cross-site-scripting-security-vulnerability/

http://japanbroad.blogspot.com/2015/03/cve-2014-7291-springshare-libcal-xss.html