Ebuddy Web Messenger suffers from index disclosure, cross site request forgery, htaccess file disclosure, and insecure credential transport vulnerabilities.
ccaf79bd154471179fb4406fdc64b21ea02903e1d8c4dc8ee30b274d01f17dff===============================================================================================================================================================================================
Ebuddy Web Messenger Index of Disclosure / htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text
===============================================================================================================================================================================================
I. VULNERABILITY
-------------------------
#Title: Ebuddy htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text
#Vendor:httpS://www.ebuddy.com/
#Author:Juan Carlos García (@secnight)
#Follow me
http://www.highsec.es
Twitter:@secnight
II. DESCRIPTION
-------------------------
XMS: Free, real-time messaging app for smartphones
Unlimited messaging through your Internet connection
Message any way you want with text, pictures, videos, location and more.
Brought to you by the messaging pros at eBuddy
III. PROOF OF CONCEPT
-------------------------
Index of / Disclosure
*********************
http://web.ebuddy.com/?startsession=1
htaccess file readable
***********************
Vulnerability description
--------------------------
This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files
are designed to be parsed by web server and should not be directly accessible. These files could contain sensitive information
that could help an attacker to conduct further attacks. It's recommended to restrict access to this file.
Affected items
/
The impact of this vulnerability
---------------------------------
Sensitive information disclosure.
Request
GET /.htaccess HTTP/1.1
Cookie: language=en-GB; e_network=MASTER
Html Response
-------------
DirectoryIndex index.html ErrorDocument 404 /404.html # Turning on the rewrite engine is necessary for the following rules and features. # FollowSymLinks must be enabled for this to work. Options +FollowSymlinks RewriteEngine On #
Rewrite "www.example.com -> example.com" RewriteCond %{HTTPS} !=on RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] RewriteRule ^(feedback/) - [L] RewriteRule ^(php/) - [L] RewriteRule ^(.*)\.php$
/$1.html [R=301,L] RewriteRule ^advertising/(.*)$ /advertising.html [L,R=301] RewriteRule ^iphone(.*)$ /products.html [L,R=301] RewriteRule ^android(.*)$ /products.html [L,R=301] RewriteRule ^mobile(.*)$ /products.html [L,R=301]
RewriteRule ^ebuddy_id(.*)$ /index.html [L,R=301] RewriteRule ^webmessenger(.*)$ /index.html [L,R=301] RewriteRule ^landing/(.*)$ /picture.html [L,R=301] RewriteRule ^psp(?:/.*)?$ http://m.ebuddy.com/psp [L,R=301] # fd=1 --> force
desktop website RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond
%{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro|symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini|
j2me|midp-|cldc-|netfront" [NC] RewriteRule (^$|^index.html$) http://m.ebuddy.com/ [L,R=302] RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT}
"text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro|
symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini|j2me|midp-|cldc-|netfront" [NC] RewriteRule (^picture.html$) http://m.ebuddy.com/landing.php [L,R=302] #### ## Unknown stuff #### #
---------------------------------------------------------------------- # Better website experience for IE users # ---------------------------------------------------------------------- # Force the latest IE version, in various cases when
it may fall back to IE7 mode # github.com/rails/rails/commit/123eb25#commitcomment-118920 # Use ChromeFrame if it's installed for a better experience for the poor IE folk Header set X-UA-Compatible "IE=Edge,chrome=1" # mod_headers can't
match by content-type, but we don't want to send this header on *everything*... Header unset X-UA-Compatible # ---------------------------------------------------------------------- # CORS-enabled images (@crossorigin) #
---------------------------------------------------------------------- # Send CORS headers if browsers request them; enabled by default for images. # developer.mozilla.org/en/CORS_Enabled_Image # blog.chromium.org/2011/07/using-cross-
domain-images-in-webgl-and.html # hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/ # wiki.mozilla.org/Security/Reviews/crossoriginAttribute # mod_headers, y u no match by Content-Type?! SetEnvIf
Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS # ---------------------------------------------------------------------- # Webfont access # ----------------------------------------------------------------------
# Allow access from all domains for webfonts. # Alternatively you could only whitelist your # subdomains like "subdomain.example.com". Header set Access-Control-Allow-Origin "*" #
---------------------------------------------------------------------- # Gzip compression # ---------------------------------------------------------------------- # Force deflate for mangled headers
developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/ SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding
"gzip,deflate" env=HAVE_Accept-Encoding # HTML, TXT, CSS, JavaScript, JSON, XML, HTC: FilterDeclare COMPRESS FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component FilterProvider COMPRESS DEFLATE resp=Content-
Type $application/javascript FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject
FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $image/x-icon FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf FilterProvider COMPRESS DEFLATE
resp=Content-Type $font/opentype FilterChain COMPRESS FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no # Legacy versions of Apache AddOutputFilterByType DEFLATE text/html text/plain text/css application/json AddOutputFilterByType
DEFLATE application/javascript AddOutputFilterByType DEFLATE text/xml application/xml text/x-component AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml AddOutputFilterByType DEFLATE image/x-
icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype # ---------------------------------------------------------------------- # Expires headers (for better cache control) #
---------------------------------------------------------------------- # These are pretty far-future expires headers. # They assume you control versioning with cachebusting query params like #
HTML form without CSRF protection
********************************
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as
CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted
from a user that the website trusts.
Affected items
/
/ar
/bg-ID
/bs
/cs
/da
/de
/el
/es
/et
/fa
/fr
/he
/hu
/id
/is
/it
/ms
/nl
/no
/pl
/pt
/pt-BR
/ro
/ru
/sk
/sl
/sv
/th
/tr
/vi
/zh
/zh-TW
The impact of this vulnerability
---------------------------------
An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end
user is the administrator account, this can compromise the entire web application.
Example
Affected items
/
Attack details
Form name: login-form
Form action: http://www.ebuddy.com/
Form method: POST
Form inputs:
username [Text]
password [Password]
remember [Checkbox]
signinoffline [Checkbox]
network [Hidden]
User credentials are sent in clear text
***************************************
Vulnerability description
------------------------
User credentials are transmitted over an unencrypted channel.
This information should always be transferred via an encrypted channel (HTTPS)
to avoid being intercepted by malicious users.
Affected items
--------------
/
/ar
/bg-ID
/bs
/cs
/da
/de
/el
/es
/et
/fa
/fr
/he
/hu
/id
/is
/it
/ms
/nl
/no
/pl
/pt
/pt-BR
/ro
/ru
/sk
/sl
/sv
/th
/tr
/vi
/zh
/zh-TW
The impact of this vulnerability
---------------------------------
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection
Example:
Affected Item
/
Attack details
Form name: login-form
Form action: http://www.ebuddy.com/
Form method: POST
Form inputs:
username [Text]
password [Password]
remember [Checkbox]
signinoffline [Checkbox]
network [Hidden]
IV. BUSINESS IMPACT
-------------------------
This type of failure Messengers line they have so many customers are extremely dangerous because they
can be a serious impact on customers and users
V SOLUTION
------------------------
Write Secure Code
VI. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Carlos García(@secnight)
Special Thnaks:Perseo
VII. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed