Title: ====== iAuto Mobile Application 2012 - Multiple Web Vulnerabilities Date: ===== 2012-07-11 References: =========== http://www.vulnerability-lab.com/get_content.php?id=658 VL-ID: ===== 658 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= With Internet on mobile devices booming, having a desktop-oriented version is just not enough anymore. Empower your visitors with content designed for mobile Web by offering them a mobile version of your classifieds website. WorksForWeb is offering custom-made mobile frontend addons for our classified solutions. The mobile version of your website will present all the data of the regular website in the format optimized for iPhone, Android, iPad, BlackBerry, Symbian, or other mobile devices. Mobile frontend addon features: Quick and advanced search, Browsing, Tabbed design, Multi-language interface, Google Maps, And much more Addon is seamlessly integrated with your main website. Your website automatically detects mobile browsers to redirect mobile visitors to the mobile-optimized content. Why do you need a mobile gateway to your website? Because all the market leaders have mobile access, and so should you. The mobile technology is redefining our future, and you should be one step ahead of your smaller competitors. Mobile users now make up a large percentage of your target audience, and their needs to access information easily are important to address. At this moment, the mobile addon is compatible with classified solutions of v.5.2 and above. The price of the mobile frontend addon is only $175. This price includes a free expert installation on your server. (Copy of the Vendor Homepage: http://www.worksforweb.com/classifieds-software/addons/mobile-addon/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple cross site vulnerabilities in the iAuto Mobile APP for Android, iOS & Blackberry. Report-Timeline: ================ 2012-07-10: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== 1.1 A persistent input validation vulnerability is detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in comments module with the bound vulnerable commentSid parameter. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account. Vulnerable Module(s): [+] Comments > Reply to The Comment Listing Vulnerable Parameter(s): [+] commentSid & commentInfo 1.2 Multiple non persistent cross site scripting vulnerabilities are detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The bugs are located in the Dealer > Search Sellers or Browse by Make and Model with the bound vulnerable parameters city & path/url. Successful exploitation can result in account steal, client side phishing & client-side content request manipulation. Exploitation requires medium or high user inter action & without privileged web application user account. Vulnerable Module(s): [+] Dealer > Search Sellers > City [+] Browse by Make and Model > /../ > Vulnerable Parameter(s): [+] City [+] Folder Access Listing Proof of Concept: ================= 1.1 The persistent vulnerabilities can be exploited by remote attackers with low privileged user account and with low required user inter action. For demonstration or reproduce ... Review: Add Comments - Listing

Reply to The Comment

You are replying to the comment #">