ZOHO INTERNAL INFORMATION DISCLOSURE Content type is not specified /INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM ================================================================================================================================================== Report-Timeline: ================ 2013-07-01: Researcher Notification 2013-07-02: RESPONSE 2013-07-05: Ask About the issues 2013-07-06: Vendor Feedback 2013-07-10: Not Fixed 2013-07-12: Full Disclosure I-VULNERABILITIES ====================== #Title:ZOHO INTERNAL INFORMATION DISCLOSURE -Content type is not specified / INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM #Vendor:httpS://www.zoho.com #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es http://hackingmadrid.blogspot.com Twitter:@secnight II-Introduction: ====================== 1-To date, Zoho.com has launched 25+ online applications — from CRM to Mail, Office Suite, Project Management, Invoicing, Web conferencing and more. Zoho has received numerous awards, including an InfoWorld 2009 "Product of the Year" award, a 2008 PC World "25 Most Innovative Products Award" and a 2007 TechCrunch "Best Enterprise Start-up." Zoho uses an open application programming interface for its Writer, Sheet, Show, Creator, Meeting, and Planner products. It also has plugins into Microsoft Word and Excel, an OpenOffice.org plugin, and a plugin for Firefox. More than 8 Million users Work Online with Zoho 2-Components 2.1 Zoho Writer 2.2 Zoho Sheet 2.3 Zoho Reports 2.4 Zoho Show 2.5 Zoho Projects 2.6 Zoho BugTracker 2.7 Zoho CRM 2.8 Zoho Invoice 2.9 Zoho Creator 2.10 Zoho Wiki 2.11 Zoho Discussions 2.12 Zoho Planner 2.13 Zoho Notebook 2.14 Zoho Chat 2.15 Zoho Mail 2.16 Zoho Meeting 2.17 Zoho People 2.18 Zoho Books 2.19 Zoho Docs III-PROOF OF CONCEPT ====================== INTERNAL INFORMATION DISCLOSURE -Content type is not specified- ============================================================== This page doesn't set a Content-Type header value. This value informs the browser what kind of data to expect. If this header is missing, the browser may incorrectly handle the data. This could lead to security problems. This vulnerability affects /creator/help/images/contacts.ds. /* * Author : latha * Generated on : 02-Nov-2012 14:53:52 * Version : 3.0 */ application "Contacts" { allow html = true date format = "dd-MMMM-yyyy" time zone = "America/Los_Angeles" section Home { form Contacts_Form { displayname = "Contacts Form" captcha = true success message = "Data Added Successfully!" field alignment = left column { EmpName ( type = text tooltip = "Web application" width = 200px ) Number_1 ( displayname = "Number 1" type = number maxchar = 2 width = 100px ) Email_ID ( displayname = "Email ID" type = email tooltip = "Web application" width = 200px ) Contact ( type = decimal maxchar = 99 tooltip = "Web application" width = 100px ) DOB ( type = date tooltip = "Web application" width = 130px ) Country ( type = text tooltip = "Web application" width = 200px ) } column { Currency_1 ( displayname = "Currency 1" type = USD maxchar = 2 width = 100px ) } actions { on add { Submit ( type = submit displayname = "Submit" ) Reset ( type = reset displayname = "Reset" ) } on edit { Update ( type = submit displayname = "Update" ) Cancel ( type = cancel displayname = "Cancel" ) } } } list Contacts_Form_View { displayname = "Contacts Form View" show all rows from Contacts_Form ( EmpName as "Name" Email_ID as "Email ID" Contact, display total DOB Country Number_1 as "Number 1" Currency_1 as "Currency 1" ) filters ( DOB ) } } } creator/help/images/ical-feed1.ds. BEGIN:VCALENDAR PRODID:-//ZOHO Creator//iCal Feed//EN VERSION:2.0 CALSCALE:GREGORIAN X-WR-TIMEZONE:UTC X-WR-CALNAME:ICal_View BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:My B`day DTEND;VALUE=DATE:20120417 ORGANIZER;CN=Test 2: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120417 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226173/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Meet test DTEND;VALUE=DATE:20120218 ORGANIZER;CN=Test 1: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120215 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226169/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Rozden Den DTEND:20100429T055909 ORGANIZER;CN=Tatka: LOCATION:Aprilovo STATUS:confirmed DTSTART:20100428T205905 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243011/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Summ DTEND;VALUE=DATE:20100426 ORGANIZER;CN=Hristo: LOCATION:Btv STATUS:tentative DTSTART;VALUE=DATE:20100426 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000001243007/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:No summary DTEND:20100426T144354 ORGANIZER;CN=Stefan Stoychev: LOCATION:Here STATUS:tentative DTSTART:20100425T204350 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243003/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Week end trip DTEND;VALUE=DATE:20090921 ORGANIZER;CN=Stephen: LOCATION:New york STATUS:confirmed DTSTART;VALUE=DATE:20090919 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000000601326/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Public sector meeting DTEND:20090910T143000 ORGANIZER;CN=John: LOCATION:US STATUS:confirmed DTSTART:20090910T113000 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000000601322/@zohocreator.com END:VEVENT END:VCALENDAR /creator/help2/images/ical-feed1.ds. BEGIN:VCALENDAR PRODID:-//ZOHO Creator//iCal Feed//EN VERSION:2.0 CALSCALE:GREGORIAN X-WR-TIMEZONE:UTC X-WR-CALNAME:ICal_View BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:My B`day DTEND;VALUE=DATE:20120417 ORGANIZER;CN=Test 2: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120417 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226173/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Meet test DTEND;VALUE=DATE:20120218 ORGANIZER;CN=Test 1: LOCATION:Chennai STATUS:confirmed DTSTART;VALUE=DATE:20120215 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000002226169/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Rozden Den DTEND:20100429T055909 ORGANIZER;CN=Tatka: LOCATION:Aprilovo STATUS:confirmed DTSTART:20100428T205905 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243011/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Summ DTEND;VALUE=DATE:20100426 ORGANIZER;CN=Hristo: LOCATION:Btv STATUS:tentative DTSTART;VALUE=DATE:20100426 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000001243007/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:No summary DTEND:20100426T144354 ORGANIZER;CN=Stefan Stoychev: LOCATION:Here STATUS:tentative DTSTART:20100425T204350 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000001243003/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Week end trip DTEND;VALUE=DATE:20090921 ORGANIZER;CN=Stephen: LOCATION:New york STATUS:confirmed DTSTART;VALUE=DATE:20090919 CLASS:PRIVATE UID:1040582/ical-application/ICal_View/204098000000601326/@zohocreator.com END:VEVENT BEGIN:VEVENT DTSTAMP:20121121T115822Z SUMMARY:Public sector meeting DTEND:20090910T143000 ORGANIZER;CN=John: LOCATION:US STATUS:confirmed DTSTART:20090910T113000 CLASS:PUBLIC UID:1040582/ical-application/ICal_View/204098000000601322/@zohocreator.com END:VEVENT END:VCALENDAR /creator/help2/images/contacts.ds. * * Author : latha * Generated on : 02-Nov-2012 14:53:52 * Version : 3.0 */ application "Contacts" { allow html = true date format = "dd-MMMM-yyyy" time zone = "America/Los_Angeles" section Home { form Contacts_Form { displayname = "Contacts Form" captcha = true success message = "Data Added Successfully!" field alignment = left column { EmpName ( type = text tooltip = "Web application" width = 200px ) Number_1 ( displayname = "Number 1" type = number maxchar = 2 width = 100px ) Email_ID ( displayname = "Email ID" type = email tooltip = "Web application" width = 200px ) Contact ( type = decimal maxchar = 99 tooltip = "Web application" width = 100px ) DOB ( type = date tooltip = "Web application" width = 130px ) Country ( type = text tooltip = "Web application" width = 200px ) } column { Currency_1 ( displayname = "Currency 1" type = USD maxchar = 2 width = 100px ) } actions { on add { Submit ( type = submit displayname = "Submit" ) Reset ( type = reset displayname = "Reset" ) } on edit { Update ( type = submit displayname = "Update" ) Cancel ( type = cancel displayname = "Cancel" ) } } } list Contacts_Form_View { displayname = "Contacts Form View" show all rows from Contacts_Form ( EmpName as "Name" Email_ID as "Email ID" Contact, display total DOB Country Number_1 as "Number 1" Currency_1 as "Currency 1" ) filters ( DOB ) } } INSECURE TRANSITION FROM HTTP TO HTTPS IN FORM ================================================ This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target. (Too Many Affected Items ... ) Examples: /announcements/blog/2009-webware-100-awards-vote-for-zoho.html /announcements/blog/add-footnotes-endnotes-to-your-zoho-writer-documents.html /announcements/blog/adventnet-inc-is-now-zoho-corporation.html /announcements/blog/a-faster-way-to-file-bugs-in-bugtracker.html /announcements/blog/a-million-toons-at-toondoo.html /announcements/blog/annnouncing-zoho-business.html /announcements/blog/announcement-zoho-forums-migration.html /announcements/blog/announcing-the-do-it-yourself-dabble-db-migration-tool.html /announcements/blog/announcing-zoho-discussions.html /announcements/blog/announcing-zoholics-zoho-user-conference.html /announcements/blog/announcing-zoho-meeting.html /announcements/blog/announcing-zoho-notebook.html /announcements/blog/announcing-zoho-pulse-a-private-social-network-for-your-business.html /announcements/blog/announcing-zoho-show-20.html /announcements/blog/announcing-zoho-support-web-based-help-desk-software-ticket-management-and-self-service-portal.html /announcements/blog/announcing-zoho-survey-easily-create-professional-surveys-collect-data-and-make-smarter-decisions.html /announcements/blog/automatic-payment-reminders-for-invoices.html /announcements/blog/baihui-distributes-zoho-apps-in-china.html /announcements/blog/barcamp-at-chennai.html /announcements/blog/berryforms-esurvey-integrates-zoho-reports.html /announcements/blog/better-import-and-embed-options-in-zoho-show.html /announcements/blog/boxnet-integrates-zoho.html /announcements/blog/bug-tracking.html /announcements/blog/case-study-how-zoho-reports-helps-optimize-globos-tv-programming.html /announcements/blog/cloudave-launches-focusing-on-business-apps-on-the-cloud.html /announcements/blog/copy-database-html-import-intelligent-chart-creation-and-themes-support-in-zoho-db-reports.html /announcements/blog/create-zoho-creator-web-apps-from-microsoft-access-database.html /announcements/blog/dabble-db-customers-migration-offer-from-zoho-creator.html /announcements/blog/demo-account-in-zoho-writer-removed.html /announcements/blog/discontinuing-support-for-ie6-in-zoho-applications-and-browser-share-for-saas-apps-is-different.html /announcements/blog/eating-ones-own-dog-food.html /announcements/blog/facebook-connect.html /announcements/blog/format-your-columns-as-you-like-in-zoho-db-reports.html /announcements/blog/general/general/general/page/2 /announcements/blog/general/general/general/page/3 /announcements/blog/general/general/page/10 /announcements/blog/general/general/page/11 /announcements/blog/general/general/page/12 /announcements/blog/general/general/page/13 IV. CREDITS ------------------------- This vulnerabilities has been discovered by Juan Carlos García(@secnight) V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.