exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

UniCredit Bank Cross Site Request Forgery / Cross Site Scripting / Shell Upload

UniCredit Bank Cross Site Request Forgery / Cross Site Scripting / Shell Upload
Posted Oct 1, 2013
Authored by Juan Carlos Garcia

UniCredit Bank suffers from cross site request forgery, cross site scripting, and remote shell upload vulnerabilities. They have not responded to the authors notifications.

tags | exploit, remote, shell, vulnerability, xss, csrf
SHA-256 | 4b24c6a6204b07ab95aaa3e329aadafb43c09c8b0febd049f499b640d5f76727

UniCredit Bank Cross Site Request Forgery / Cross Site Scripting / Shell Upload

Change Mirror Download
==============================================================================================
UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / form without CSRF protection =
==============================================================================================

TIME-LINE VULNERABILITY

Multiples Advisories but Vendor not response

Not Fixed

Full Disclosure


I. VULNERABILITY
-------------------------
#Title: UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / Form without CSRF protection

#Vendor:http://www.unicreditbank.ru/

#Author:Juan Carlos García (@secnight)

#Follow me
http://www.highsec.es
HTTP://hackingmadrid.blogspot.com
Twitter:@secnight

II. DESCRIPTION
-------------------------

niCredit Bank is a Russian bank, operating in Russia since 1989. Ranked 8th by total assets based on H1 2013 results (Interfax-100 ranking), UniCredit Bank is the largest foreign bank in Russia.

UniCredit Bank is fully owned (100%) by UniCredit Bank Austria AG, Vienna, Austria, member of UniCredit.

The Bank benefits from its strong position in the large Russian corporate finance market and sustainable retail banking business.


UniCredit Bank at a glance

It was founded under the name of International Moscow Bank in 1989
105 branches in Russia and 1 Representative office in Belarus
Around 3798 employee
More than 1 298 000 retail customers *
More than 28 250 corporate clients
Ratings: BBB (Fitch), ВВВ (Standard & Poor’s)
Total assets: RUR 776.73 billion *
Equity: RUR 121.27 billion *
UniCredit Bank has General Licence for banking operations №1 of Bank of Russia

* As of 30.06.2013, according to consolidated financial statements of ZAO UniCredit Bank prepared in accordance with International Financial Reporting Standards.


III. PROOF OF CONCEPT
-------------------------

Cross site scripting
*********************

Vulnerability description
___________________________

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an
attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute
the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects

/rus/about/community/unicolours/frame.wbp. (46)


Attack details
**************

URL encoded GET input galleryId was set to 2_901827'():;955734

The input is reflected inside <script> tag between single quote

GET /rus/about/community/unicolours/frame.wbp?galleryId=2_901827%27%28%29%3a%3b955734&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c



galleryId(15)

GET /rus/about/community/unicolours/frame.wbp?galleryId=2_935171%27%28%29%3a%3b994873&imgFull=/gallery/cats/8/full.jpg&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_985809%27%28%29%3a%3b936300&imgFull=/gallery/cats/9/full.jpg&imgId=0ae7d25c-056b-42d9-8abd-c38523785a81
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_970273%27%28%29%3a%3b940959&imgFull=/gallery/cats/010/full.jpg&imgId=4f2a9956-83cd-498c-aa0e-9d491f2bf827
.
.
.



imageFull(15)



URL encoded GET input imgFull was set to /gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg_997700'():;932188

GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_997700%27%28%29%3a%3b932188&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_925822%27%28%29%3a%3b964844&imgId=09b5e392-a316-4a39-8a17-747273376016
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_992446%27%28%29%3a%3b941577&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4
.
.
.



imgId(15)

URL encoded GET input imgId was set to 1819ff22-ea3e-4b80-a8bf-711762ae252c_914453'():;909492

GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_914453%27%28%29%3a%3b909492
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/7/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_956295%27%28%29%3a%3b990851
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/8/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_925541%27%28%29%3a%3b927917


DOM-based Cross-Site Scripting
******************************
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /eng/reg/personal/deposits/index_special.wbp

Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/deposits/index_special.wbp


Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/remote_service/mobile_banking/smartphone.wbp


File upload
************

Vulnerability description
___________________________

This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as pictures, images, sounds, ...).
Uploaded files may pose a significant risk if not handled correctly.
A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

This vulnerability affects /rus/career/moscow/form.wbp.


Attack details
______________

Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/career/moscow/form.wbp?ok=true
Form method: POST

Form inputs:

resume [File]
vacancy [Hidden]
location [Hidden]
subject [Hidden]
Form [Hidden]


This vulnerability affects /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp.



Attack details
Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp?ok=true&formclass=debitcards
Form method: POST

Form inputs:

Form [Hidden]
fio [Text]
officeCITY [Select]
city [Radio]
file [File]
SUBJECT [Hidden]
agree [Checkbox]
Confirmation [Text]




HTML form without CSRF protection
*********************************

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website

trusts.

Affected items
__________________

/eng/career/form1.wbp
/eng/feedback.wbp
/eng/index.wbp
/rus/career/form1.wbp
/rus/career/moscow/form.wbp (4bd115b5b2d18b05418cd5215414de73)
/rus/feedback/form_tab_consult.wbp
/rus/feedback/form_tab_quality.wbp
/rus/index.wbp
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/menu_4/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/menu_4/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/moscow/banks/finmarket/analytics/form.wbp
/rus/reg/moscow/banks/finmarket/analytics/form_question.wbp
/rus/reg/moscow/corporate/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)
/rus/reg/moscow/corporate/finmarket/analytics/form.wbp
/rus/reg/moscow/corporate/finmarket/analytics/form_question.wbp
/rus/reg/moscow/personal/calc_uni.wbp
/rus/reg/moscow/personal/car/express/calc_new.wbp
/rus/reg/moscow/personal/car/gfauto/form.wbp
/rus/reg/moscow/personal/car/usedauto/calc_used.wbp
/rus/reg/moscow/personal/cardscredit/autocard/form.wbp
/rus/reg/moscow/personal/cardsdebit/post/ruspost_form.wbp
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp (65825570bed58511936e2cc0df9d839c)
/rus/reg/moscow/personal/consumer/form.wbp (56f3984593e2b24d64f498660d69a303)
/rus/reg/moscow/personal/consumer/refund/calc.wbp
/rus/reg/moscow/personal/deposits/choise/form.wbp
/rus/reg/moscow/personal/deposits/incomecalc.wbp
/rus/reg/moscow/personal/investments_savings/mutual_fund/form.wbp
/rus/reg/moscow/personal/mortgage/form_new.wbp
/rus/reg/moscow/personal/mortgage/index.wbp
/rus/reg/moscow/personal/mortgage/purpose/form.wbp
/rus/reg/moscow/personal/mortgage/purpose/icalc.wbp
/rus/reg/moscow/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/moscow/private_banking/form.wbp
/rus/reg/moscow/private_banking/mc_worldelite/form.wbp
/rus/reg/moscow/small/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)
/rus/reg/moscow/small/loans/auto/smbusinesscredit.wbp
/rus/reg/moscow/small/loans/smbusinesscredit.wbp (de98d6510bf3ecab0c54afbe38ff23de)
/rus/reg/moscow/small/package/forbusiness.wbp (00f973dc51d2e6a1ab71991ad9dac9a1)
/rus/reg/moscow/small/payroll/form.wbp
/rus/reg/moscow/small/rko/accounts/form.wbp (6923d688f3615c0326f50458f34e6048)
/rus/reg/moscow/unicredit_primeclub/dolce_vite/events/form.wbp
/rus/reg/moscow/unicredit_primeclub/dolce_vite/feedback.wbp
/rus/reg/moscow/unicredit_primeclub/form.wbp
/rus/reg/moscow/unicredit_primeclub/recepient.wbp
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/saint_petersburg/small/rko/accounts/form.wbp
/rus/reg/sochi/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/sochi/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/tyumen/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/tyumen/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/rss.wbp
/rus/search.wbp (e3a1a6c4fc11fd7517bb1d4cff832bb2)
/rus/subscribe.wbp

The impact of this vulnerability
__________________________________
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the

administrator account, this can compromise the entire web application.

How to fix this vulnerability
_________________________________
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.



IV. BUSINESS IMPACT
-------------------------

(...)

V SOLUTION
------------------------
Write Secure Code


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close