what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

UniCredit Bank Cross Site Request Forgery / Cross Site Scripting / Shell Upload

UniCredit Bank Cross Site Request Forgery / Cross Site Scripting / Shell Upload
Posted Oct 1, 2013
Authored by Juan Carlos Garcia

UniCredit Bank suffers from cross site request forgery, cross site scripting, and remote shell upload vulnerabilities. They have not responded to the authors notifications.

tags | exploit, remote, shell, vulnerability, xss, csrf
SHA-256 | 4b24c6a6204b07ab95aaa3e329aadafb43c09c8b0febd049f499b640d5f76727

UniCredit Bank Cross Site Request Forgery / Cross Site Scripting / Shell Upload

Change Mirror Download
==============================================================================================
UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / form without CSRF protection =
==============================================================================================

TIME-LINE VULNERABILITY

Multiples Advisories but Vendor not response

Not Fixed

Full Disclosure


I. VULNERABILITY
-------------------------
#Title: UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / Form without CSRF protection

#Vendor:http://www.unicreditbank.ru/

#Author:Juan Carlos García (@secnight)

#Follow me
http://www.highsec.es
HTTP://hackingmadrid.blogspot.com
Twitter:@secnight

II. DESCRIPTION
-------------------------

niCredit Bank is a Russian bank, operating in Russia since 1989. Ranked 8th by total assets based on H1 2013 results (Interfax-100 ranking), UniCredit Bank is the largest foreign bank in Russia.

UniCredit Bank is fully owned (100%) by UniCredit Bank Austria AG, Vienna, Austria, member of UniCredit.

The Bank benefits from its strong position in the large Russian corporate finance market and sustainable retail banking business.


UniCredit Bank at a glance

It was founded under the name of International Moscow Bank in 1989
105 branches in Russia and 1 Representative office in Belarus
Around 3798 employee
More than 1 298 000 retail customers *
More than 28 250 corporate clients
Ratings: BBB (Fitch), ВВВ (Standard & Poor’s)
Total assets: RUR 776.73 billion *
Equity: RUR 121.27 billion *
UniCredit Bank has General Licence for banking operations №1 of Bank of Russia

* As of 30.06.2013, according to consolidated financial statements of ZAO UniCredit Bank prepared in accordance with International Financial Reporting Standards.


III. PROOF OF CONCEPT
-------------------------

Cross site scripting
*********************

Vulnerability description
___________________________

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an
attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute
the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects

/rus/about/community/unicolours/frame.wbp. (46)


Attack details
**************

URL encoded GET input galleryId was set to 2_901827'():;955734

The input is reflected inside <script> tag between single quote

GET /rus/about/community/unicolours/frame.wbp?galleryId=2_901827%27%28%29%3a%3b955734&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c



galleryId(15)

GET /rus/about/community/unicolours/frame.wbp?galleryId=2_935171%27%28%29%3a%3b994873&imgFull=/gallery/cats/8/full.jpg&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_985809%27%28%29%3a%3b936300&imgFull=/gallery/cats/9/full.jpg&imgId=0ae7d25c-056b-42d9-8abd-c38523785a81
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_970273%27%28%29%3a%3b940959&imgFull=/gallery/cats/010/full.jpg&imgId=4f2a9956-83cd-498c-aa0e-9d491f2bf827
.
.
.



imageFull(15)



URL encoded GET input imgFull was set to /gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg_997700'():;932188

GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_997700%27%28%29%3a%3b932188&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_925822%27%28%29%3a%3b964844&imgId=09b5e392-a316-4a39-8a17-747273376016
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_992446%27%28%29%3a%3b941577&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4
.
.
.



imgId(15)

URL encoded GET input imgId was set to 1819ff22-ea3e-4b80-a8bf-711762ae252c_914453'():;909492

GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_914453%27%28%29%3a%3b909492
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/7/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_956295%27%28%29%3a%3b990851
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/8/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_925541%27%28%29%3a%3b927917


DOM-based Cross-Site Scripting
******************************
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /eng/reg/personal/deposits/index_special.wbp

Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/deposits/index_special.wbp


Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/remote_service/mobile_banking/smartphone.wbp


File upload
************

Vulnerability description
___________________________

This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as pictures, images, sounds, ...).
Uploaded files may pose a significant risk if not handled correctly.
A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

This vulnerability affects /rus/career/moscow/form.wbp.


Attack details
______________

Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/career/moscow/form.wbp?ok=true
Form method: POST

Form inputs:

resume [File]
vacancy [Hidden]
location [Hidden]
subject [Hidden]
Form [Hidden]


This vulnerability affects /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp.



Attack details
Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp?ok=true&formclass=debitcards
Form method: POST

Form inputs:

Form [Hidden]
fio [Text]
officeCITY [Select]
city [Radio]
file [File]
SUBJECT [Hidden]
agree [Checkbox]
Confirmation [Text]




HTML form without CSRF protection
*********************************

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website

trusts.

Affected items
__________________

/eng/career/form1.wbp
/eng/feedback.wbp
/eng/index.wbp
/rus/career/form1.wbp
/rus/career/moscow/form.wbp (4bd115b5b2d18b05418cd5215414de73)
/rus/feedback/form_tab_consult.wbp
/rus/feedback/form_tab_quality.wbp
/rus/index.wbp
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/menu_4/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/menu_4/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/moscow/banks/finmarket/analytics/form.wbp
/rus/reg/moscow/banks/finmarket/analytics/form_question.wbp
/rus/reg/moscow/corporate/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)
/rus/reg/moscow/corporate/finmarket/analytics/form.wbp
/rus/reg/moscow/corporate/finmarket/analytics/form_question.wbp
/rus/reg/moscow/personal/calc_uni.wbp
/rus/reg/moscow/personal/car/express/calc_new.wbp
/rus/reg/moscow/personal/car/gfauto/form.wbp
/rus/reg/moscow/personal/car/usedauto/calc_used.wbp
/rus/reg/moscow/personal/cardscredit/autocard/form.wbp
/rus/reg/moscow/personal/cardsdebit/post/ruspost_form.wbp
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp (65825570bed58511936e2cc0df9d839c)
/rus/reg/moscow/personal/consumer/form.wbp (56f3984593e2b24d64f498660d69a303)
/rus/reg/moscow/personal/consumer/refund/calc.wbp
/rus/reg/moscow/personal/deposits/choise/form.wbp
/rus/reg/moscow/personal/deposits/incomecalc.wbp
/rus/reg/moscow/personal/investments_savings/mutual_fund/form.wbp
/rus/reg/moscow/personal/mortgage/form_new.wbp
/rus/reg/moscow/personal/mortgage/index.wbp
/rus/reg/moscow/personal/mortgage/purpose/form.wbp
/rus/reg/moscow/personal/mortgage/purpose/icalc.wbp
/rus/reg/moscow/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/moscow/private_banking/form.wbp
/rus/reg/moscow/private_banking/mc_worldelite/form.wbp
/rus/reg/moscow/small/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)
/rus/reg/moscow/small/loans/auto/smbusinesscredit.wbp
/rus/reg/moscow/small/loans/smbusinesscredit.wbp (de98d6510bf3ecab0c54afbe38ff23de)
/rus/reg/moscow/small/package/forbusiness.wbp (00f973dc51d2e6a1ab71991ad9dac9a1)
/rus/reg/moscow/small/payroll/form.wbp
/rus/reg/moscow/small/rko/accounts/form.wbp (6923d688f3615c0326f50458f34e6048)
/rus/reg/moscow/unicredit_primeclub/dolce_vite/events/form.wbp
/rus/reg/moscow/unicredit_primeclub/dolce_vite/feedback.wbp
/rus/reg/moscow/unicredit_primeclub/form.wbp
/rus/reg/moscow/unicredit_primeclub/recepient.wbp
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/saint_petersburg/small/rko/accounts/form.wbp
/rus/reg/sochi/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/sochi/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/tyumen/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/tyumen/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/rss.wbp
/rus/search.wbp (e3a1a6c4fc11fd7517bb1d4cff832bb2)
/rus/subscribe.wbp

The impact of this vulnerability
__________________________________
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the

administrator account, this can compromise the entire web application.

How to fix this vulnerability
_________________________________
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.



IV. BUSINESS IMPACT
-------------------------

(...)

V SOLUTION
------------------------
Write Secure Code


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close