==============================================================================================
UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / form without CSRF protection =
==============================================================================================

TIME-LINE VULNERABILITY

Multiples Advisories but Vendor not response 

Not Fixed

Full Disclosure


I. VULNERABILITY
-------------------------
#Title: UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / Form without CSRF protection 

#Vendor:http://www.unicreditbank.ru/

#Author:Juan Carlos García (@secnight)

#Follow me 
 http://www.highsec.es
 HTTP://hackingmadrid.blogspot.com
Twitter:@secnight

II. DESCRIPTION
-------------------------

niCredit Bank is a Russian bank, operating in Russia since 1989. Ranked 8th by total assets based on H1 2013 results (Interfax-100 ranking), UniCredit Bank is the largest foreign bank in Russia.

UniCredit Bank is fully owned (100%) by UniCredit Bank Austria AG, Vienna, Austria, member of UniCredit.

The Bank benefits from its strong position in the large Russian corporate finance market and sustainable retail banking business.


UniCredit Bank at a glance

It was founded under the name of International Moscow Bank in 1989
105 branches in Russia and 1 Representative office in Belarus
Around 3798 employee
More than 1 298 000 retail customers *
More than 28 250 corporate clients
Ratings: BBB (Fitch), ВВВ (Standard & Poor’s)
Total assets: RUR 776.73 billion *
Equity: RUR 121.27 billion *
UniCredit Bank has General Licence for banking operations №1 of Bank of Russia

* As of 30.06.2013, according to consolidated financial statements of ZAO UniCredit Bank prepared in accordance with International Financial Reporting Standards.


III. PROOF OF CONCEPT
-------------------------

Cross site scripting
*********************

Vulnerability description
___________________________

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an 
attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute
the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. 

This vulnerability affects

/rus/about/community/unicolours/frame.wbp. (46)


Attack details
**************

URL encoded GET input galleryId was set to 2_901827'():;955734

The input is reflected inside <script> tag between single quote

GET /rus/about/community/unicolours/frame.wbp?galleryId=2_901827%27%28%29%3a%3b955734&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c 



galleryId(15)

GET /rus/about/community/unicolours/frame.wbp?galleryId=2_935171%27%28%29%3a%3b994873&imgFull=/gallery/cats/8/full.jpg&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4 
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_985809%27%28%29%3a%3b936300&imgFull=/gallery/cats/9/full.jpg&imgId=0ae7d25c-056b-42d9-8abd-c38523785a81 
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_970273%27%28%29%3a%3b940959&imgFull=/gallery/cats/010/full.jpg&imgId=4f2a9956-83cd-498c-aa0e-9d491f2bf827
.
.
.



imageFull(15)



URL encoded GET input imgFull was set to /gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg_997700'():;932188

GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_997700%27%28%29%3a%3b932188&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_925822%27%28%29%3a%3b964844&imgId=09b5e392-a316-4a39-8a17-747273376016
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_992446%27%28%29%3a%3b941577&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4
.
.
.



imgId(15)

URL encoded GET input imgId was set to 1819ff22-ea3e-4b80-a8bf-711762ae252c_914453'():;909492

GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_914453%27%28%29%3a%3b909492
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/7/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_956295%27%28%29%3a%3b990851
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/8/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_925541%27%28%29%3a%3b927917 


DOM-based Cross-Site Scripting
******************************
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /eng/reg/personal/deposits/index_special.wbp

Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/deposits/index_special.wbp


Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/remote_service/mobile_banking/smartphone.wbp


File upload
************

Vulnerability description
___________________________

This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as pictures, images, sounds, ...).
Uploaded files may pose a significant risk if not handled correctly. 
A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

This vulnerability affects /rus/career/moscow/form.wbp. 


Attack details
______________

Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/career/moscow/form.wbp?ok=true
Form method: POST

Form inputs:

resume [File]
vacancy [Hidden]
location [Hidden]
subject [Hidden]
Form [Hidden]


This vulnerability affects /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp. 



Attack details
Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp?ok=true&formclass=debitcards
Form method: POST

Form inputs:

Form [Hidden]
fio [Text]
officeCITY [Select]
city [Radio]
file [File]
SUBJECT [Hidden]
agree [Checkbox]
Confirmation [Text]




HTML form without CSRF protection
*********************************

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website 

trusts.

Affected items
__________________

/eng/career/form1.wbp 
/eng/feedback.wbp 
/eng/index.wbp 
/rus/career/form1.wbp 
/rus/career/moscow/form.wbp (4bd115b5b2d18b05418cd5215414de73) 
/rus/feedback/form_tab_consult.wbp 
/rus/feedback/form_tab_quality.wbp 
/rus/index.wbp 
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everyday_archive.wbp 
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everymonth_archive.wbp 
/rus/reg/menu_4/personal/rko/cash/currency_rates/everyday_archive.wbp 
/rus/reg/menu_4/personal/rko/cash/currency_rates/everymonth_archive.wbp 
/rus/reg/moscow/banks/finmarket/analytics/form.wbp 
/rus/reg/moscow/banks/finmarket/analytics/form_question.wbp 
/rus/reg/moscow/corporate/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd) 
/rus/reg/moscow/corporate/finmarket/analytics/form.wbp 
/rus/reg/moscow/corporate/finmarket/analytics/form_question.wbp 
/rus/reg/moscow/personal/calc_uni.wbp 
/rus/reg/moscow/personal/car/express/calc_new.wbp 
/rus/reg/moscow/personal/car/gfauto/form.wbp 
/rus/reg/moscow/personal/car/usedauto/calc_used.wbp 
/rus/reg/moscow/personal/cardscredit/autocard/form.wbp 
/rus/reg/moscow/personal/cardsdebit/post/ruspost_form.wbp 
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp 
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp (65825570bed58511936e2cc0df9d839c) 
/rus/reg/moscow/personal/consumer/form.wbp (56f3984593e2b24d64f498660d69a303) 
/rus/reg/moscow/personal/consumer/refund/calc.wbp 
/rus/reg/moscow/personal/deposits/choise/form.wbp 
/rus/reg/moscow/personal/deposits/incomecalc.wbp 
/rus/reg/moscow/personal/investments_savings/mutual_fund/form.wbp 
/rus/reg/moscow/personal/mortgage/form_new.wbp 
/rus/reg/moscow/personal/mortgage/index.wbp 
/rus/reg/moscow/personal/mortgage/purpose/form.wbp 
/rus/reg/moscow/personal/mortgage/purpose/icalc.wbp 
/rus/reg/moscow/personal/rko/cash/currency_rates/everyday_archive.wbp 
/rus/reg/moscow/private_banking/form.wbp 
/rus/reg/moscow/private_banking/mc_worldelite/form.wbp 
/rus/reg/moscow/small/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd) 
/rus/reg/moscow/small/loans/auto/smbusinesscredit.wbp 
/rus/reg/moscow/small/loans/smbusinesscredit.wbp (de98d6510bf3ecab0c54afbe38ff23de) 
/rus/reg/moscow/small/package/forbusiness.wbp (00f973dc51d2e6a1ab71991ad9dac9a1) 
/rus/reg/moscow/small/payroll/form.wbp 
/rus/reg/moscow/small/rko/accounts/form.wbp (6923d688f3615c0326f50458f34e6048) 
/rus/reg/moscow/unicredit_primeclub/dolce_vite/events/form.wbp 
/rus/reg/moscow/unicredit_primeclub/dolce_vite/feedback.wbp 
/rus/reg/moscow/unicredit_primeclub/form.wbp 
/rus/reg/moscow/unicredit_primeclub/recepient.wbp 
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everyday_archive.wbp 
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everymonth_archive.wbp 
/rus/reg/saint_petersburg/small/rko/accounts/form.wbp 
/rus/reg/sochi/personal/rko/cash/currency_rates/everyday_archive.wbp 
/rus/reg/sochi/personal/rko/cash/currency_rates/everymonth_archive.wbp 
/rus/reg/tyumen/personal/rko/cash/currency_rates/everyday_archive.wbp 
/rus/reg/tyumen/personal/rko/cash/currency_rates/everymonth_archive.wbp 
/rus/rss.wbp 
/rus/search.wbp (e3a1a6c4fc11fd7517bb1d4cff832bb2) 
/rus/subscribe.wbp 

The impact of this vulnerability
__________________________________
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the 

administrator account, this can compromise the entire web application.

How to fix this vulnerability
_________________________________
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.



IV. BUSINESS IMPACT
-------------------------

(...)

V SOLUTION
------------------------
Write Secure Code


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.