Twenty Year Anniversary

Daily Mail Unvalidated Redirect / Cross Site Scripting

Daily Mail Unvalidated Redirect / Cross Site Scripting
Posted Nov 3, 2015
Authored by Jing Wang

Various Daily Mail sites suffered from unvalidated redirect and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | bd8af27dea033a9e4e53fe5370ce1b5a

Daily Mail Unvalidated Redirect / Cross Site Scripting

Change Mirror Download
*Daily Mail Registration Page Unvalidated Redirects and Forwards & XSS Web
Security Problem*


*Website Description:*
"The Daily Mail is a British daily middle-market tabloid newspaper owned by
the Daily Mail and General Trust. First published in 1896 by Lord
Northcliffe, it is the United Kingdom's second biggest-selling daily
newspaper after The Sun. Its sister paper The Mail on Sunday was launched
in 1982. Scottish and Irish editions of the daily paper were launched in
1947 and 2006 respectively. The Daily Mail was Britain's first daily
newspaper aimed at the newly-literate "lower-middle class market resulting
from mass education, combining a low retail price with plenty of
competitions, prizes and promotional gimmicks", and was the first British
paper to sell a million copies a day. It was at the outset a newspaper for
women, the first to provide features especially for them, and as of the
second-half of 2013 had a 54.77% female readership, the only British
newspaper whose female readers constitute more than 50% of its demographic.
It had an average daily circulation of 1,708,006 copies in March 2014.
Between July and December 2013 it had an average daily readership of
approximately 3.951 million, of whom approximately 2.503 million were in
the ABC1 demographic and 1.448 million in the C2DE demographic. Its website
has more than 100 million unique visitors per month." (Wikipedia)


One of its website's Alexa rank is 93 on January 01 2015. The website is
one of the most popular websites in the United Kingdom.


The Unvalidated Redirects and Forwards problem has not been patched, while
the XSS problem has been patched.



Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
http://www.tetraph.com/wangjing





*(1) Daily mail Registration Page Unvalidated Redirects and Forwards Web
Security Problem*


*(1.1) Vulnerability Description:*
Daily online websites have a cyber security problem. Hacker can exploit it
by Open Redirect (Unvalidated Redirects and Forwards) attacks. During the
tests, all Daily mail websites (Daily Mail, Mail on Sunday & Metro media
group) use the same mechanism. These websites include dailymail.co.uk,
thisismoney.co.uk, and mailonsunday.co.uk.




Google Dork:
"Part of the Daily Mail, The Mail on Sunday & Metro Media Group"



The vulnerability occurs at "&targetUrl" parameter in "logout.html?" page,
i.e.
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fgoogle.com





*(1.2.1) *Use the following tests to illustrate the scenario painted above.

The redirected webpage address is "http://diebiyi.com/articles". Can
suppose that this webpage is malicious.

Vulnerable URLs:
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdailymail.co.uk
http://www.thisismoney.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fhao123.com/
http://www.mailonsunday.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fpinterest.com


POC Code:
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles
http://www.thisismoney.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles
http://www.mailonsunday.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fdiebiyi.com/articles




*POC Video:*
https://www.youtube.com/watch?v=AU-HJGe5BWE&feature=youtu.be



*Blog Details:*
http://tetraph.com/security/website-test/daily-mail-url-redirection/
http://securityrelated.blogspot.com/2015/10/daily-mail-registration-page.html





*(1.2.2)* The program code flaw can be attacked without user login. Tests
were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla
Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu
(14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

These bugs were found by using URFDS (Unvalidated Redirects and Forwards
Detection System).





*(1.2) Description of Open Redirect:*
Here is the description of Open Redirect: "A web application accepts a
user-controlled input that specifies a link to an external site, and uses
that link in a Redirect. This simplifies phishing attacks. An http
parameter may contain a URL value and could cause the web application to
redirect the request to the specified URL. By modifying the URL value to a
malicious site, an attacker may successfully launch a phishing scam and
steal user credentials. Because the server name in the modified link is
identical to the original site, phishing attempts have a more trustworthy
appearance." (From CWE)




*(1.3) Vulnerability Disclosure:*
These vulnerabilities have not been patched.








*(2) Daily Mail Website XSS Cyber Security Zero-Day Vulnerability*


*(2.1) Vulnerability description:*
DailyMail has a security problem. Criminals can exploit it by XSS attacks.

The vulnerability occurs at "reportAbuseInComment.html?" page with
"&commentId" parameter, i.e.
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038


POC Code:
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId="><img
src=x onerror=prompt('justqdjing')>


The vulnerability can be attacked without user login. Tests were performed
on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in
Windows 7.



*POC Video:*
https://www.youtube.com/watch?v=Oig-ZrlJDf8&feature=youtu.be



*Blog Detail:*
http://tetraph.com/security/web-security/daily-mail-xss-bug/
http://securityrelated.blogspot.com/2015/10/daily-mail-online-website-xss-cyber.html





*(2.2) What is XSS?*
"Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications. XSS enables attackers to inject
client-side script into web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access controls
such as the same-origin policy. Cross-site scripting carried out on
websites accounted for roughly 84% of all security vulnerabilities
documented by Symantec as of 2007. Their effect may range from a petty
nuisance to a significant security risk, depending on the sensitivity of
the data handled by the vulnerable site and the nature of any security
mitigation implemented by the site's owner." (Wikipedia)




*(2.3) Vulnerability Disclosure:*
This vulnerability has been patched.




Blog Details:
http://tetraph.com/security/website-test/daily-mail-open-redirect-xss/
http://securityrelated.blogspot.com/2015/10/daily-mail-url-redirection-and-xss-bug.html






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close