=============================================================================================================================================================================================== Ebuddy Web Messenger Index of Disclosure / htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text =============================================================================================================================================================================================== I. VULNERABILITY ------------------------- #Title: Ebuddy htaccess file readable / HTML Form without CSRF Protection / User Credential sent in clear text #Vendor:httpS://www.ebuddy.com/ #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es Twitter:@secnight II. DESCRIPTION ------------------------- XMS: Free, real-time messaging app for smartphones Unlimited messaging through your Internet connection Message any way you want with text, pictures, videos, location and more. Brought to you by the messaging pros at eBuddy III. PROOF OF CONCEPT ------------------------- Index of / Disclosure ********************* http://web.ebuddy.com/?startsession=1 htaccess file readable *********************** Vulnerability description -------------------------- This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files are designed to be parsed by web server and should not be directly accessible. These files could contain sensitive information that could help an attacker to conduct further attacks. It's recommended to restrict access to this file. Affected items / The impact of this vulnerability --------------------------------- Sensitive information disclosure. Request GET /.htaccess HTTP/1.1 Cookie: language=en-GB; e_network=MASTER Html Response ------------- DirectoryIndex index.html ErrorDocument 404 /404.html # Turning on the rewrite engine is necessary for the following rules and features. # FollowSymLinks must be enabled for this to work. Options +FollowSymlinks RewriteEngine On # Rewrite "www.example.com -> example.com" RewriteCond %{HTTPS} !=on RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] RewriteRule ^(feedback/) - [L] RewriteRule ^(php/) - [L] RewriteRule ^(.*)\.php$ /$1.html [R=301,L] RewriteRule ^advertising/(.*)$ /advertising.html [L,R=301] RewriteRule ^iphone(.*)$ /products.html [L,R=301] RewriteRule ^android(.*)$ /products.html [L,R=301] RewriteRule ^mobile(.*)$ /products.html [L,R=301] RewriteRule ^ebuddy_id(.*)$ /index.html [L,R=301] RewriteRule ^webmessenger(.*)$ /index.html [L,R=301] RewriteRule ^landing/(.*)$ /picture.html [L,R=301] RewriteRule ^psp(?:/.*)?$ http://m.ebuddy.com/psp [L,R=301] # fd=1 --> force desktop website RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro|symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini| j2me|midp-|cldc-|netfront" [NC] RewriteRule (^$|^index.html$) http://m.ebuddy.com/ [L,R=302] RewriteCond %{QUERY_STRING} !"(?:^|&)fd=(?:1|true)(?:&|$)" [NC] RewriteCond %{HTTP_USER_AGENT} !"googlebot" [NC] RewriteCond %{HTTP_ACCEPT} "text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "windows ce|psp|nitro| symbian|nintendo|htc|mobile|nokia|mot-|sonyerricson|samsung|alcatel|opera mini|j2me|midp-|cldc-|netfront" [NC] RewriteRule (^picture.html$) http://m.ebuddy.com/landing.php [L,R=302] #### ## Unknown stuff #### # ---------------------------------------------------------------------- # Better website experience for IE users # ---------------------------------------------------------------------- # Force the latest IE version, in various cases when it may fall back to IE7 mode # github.com/rails/rails/commit/123eb25#commitcomment-118920 # Use ChromeFrame if it's installed for a better experience for the poor IE folk Header set X-UA-Compatible "IE=Edge,chrome=1" # mod_headers can't match by content-type, but we don't want to send this header on *everything*... Header unset X-UA-Compatible # ---------------------------------------------------------------------- # CORS-enabled images (@crossorigin) # ---------------------------------------------------------------------- # Send CORS headers if browsers request them; enabled by default for images. # developer.mozilla.org/en/CORS_Enabled_Image # blog.chromium.org/2011/07/using-cross- domain-images-in-webgl-and.html # hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/ # wiki.mozilla.org/Security/Reviews/crossoriginAttribute # mod_headers, y u no match by Content-Type?! SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS # ---------------------------------------------------------------------- # Webfont access # ---------------------------------------------------------------------- # Allow access from all domains for webfonts. # Alternatively you could only whitelist your # subdomains like "subdomain.example.com". Header set Access-Control-Allow-Origin "*" # ---------------------------------------------------------------------- # Gzip compression # ---------------------------------------------------------------------- # Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/ SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding # HTML, TXT, CSS, JavaScript, JSON, XML, HTC: FilterDeclare COMPRESS FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component FilterProvider COMPRESS DEFLATE resp=Content- Type $application/javascript FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml FilterProvider COMPRESS DEFLATE resp=Content-Type $image/x-icon FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf FilterProvider COMPRESS DEFLATE resp=Content-Type $font/opentype FilterChain COMPRESS FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no # Legacy versions of Apache AddOutputFilterByType DEFLATE text/html text/plain text/css application/json AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE text/xml application/xml text/x-component AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml AddOutputFilterByType DEFLATE image/x- icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype # ---------------------------------------------------------------------- # Expires headers (for better cache control) # ---------------------------------------------------------------------- # These are pretty far-future expires headers. # They assume you control versioning with cachebusting query params like # HTML form without CSRF protection ******************************** Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Affected items / /ar /bg-ID /bs /cs /da /de /el /es /et /fa /fr /he /hu /id /is /it /ms /nl /no /pl /pt /pt-BR /ro /ru /sk /sl /sv /th /tr /vi /zh /zh-TW The impact of this vulnerability --------------------------------- An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. Example Affected items / Attack details Form name: login-form Form action: http://www.ebuddy.com/ Form method: POST Form inputs: username [Text] password [Password] remember [Checkbox] signinoffline [Checkbox] network [Hidden] User credentials are sent in clear text *************************************** Vulnerability description ------------------------ User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. Affected items -------------- / /ar /bg-ID /bs /cs /da /de /el /es /et /fa /fr /he /hu /id /is /it /ms /nl /no /pl /pt /pt-BR /ro /ru /sk /sl /sv /th /tr /vi /zh /zh-TW The impact of this vulnerability --------------------------------- A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection Example: Affected Item / Attack details Form name: login-form Form action: http://www.ebuddy.com/ Form method: POST Form inputs: username [Text] password [Password] remember [Checkbox] signinoffline [Checkbox] network [Hidden] IV. BUSINESS IMPACT ------------------------- This type of failure Messengers line they have so many customers are extremely dangerous because they can be a serious impact on customers and users V SOLUTION ------------------------ Write Secure Code VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) Special Thnaks:Perseo VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.