*FC2 & Rakuten Online Websites Multiple XSS (Cross-site Scripting) and Open
Redirect Cyber Vulnerabilities *




FC2 and Rakuten are the first and second top ranking Japanese local online
websites. This post introduces several XSS (Cross-site Scripting) and Open
Redirect bugs of them.



The Alexa rank of fc2.com is 52 on February 18 2015 and the related rank in
Japan is 4. The Alexa rank of rakuten.co.jp is 64 on May 29 2015 and the
related rank is japan is 7.




Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
http://www.tetraph.com/wangjing






*(1) FC2 XSS (cross site scripting) & Open Redirect*



*Domain:*
blog.fc2.com/


"FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third
most popular video hosting service in Japan (after YouTube and Niconico),
and a web hosting company headquartered in Las Vegas, Nevada. It is the
sixth most popular website in Japan overall (as of January 2014). FC2 is an
abbreviation of "Fantastic Kupi-Kupi (クピクピ)". It is known to allow
controversial adult content such as pornography and hate speech (unlike
many of its competitors). The company uses rented office space for its
headquarters which it shares with many other U.S.-based businesses. It also
pays taxes in the United States. The physical servers are located in the
United States. However, it is believed that the majority of the company and
its users (including employees) are located within Japan" (Wikipedia)


The Alexa rank of fc2.com is 52 on February 18 2015. It is the top one
Japanese local website service.





*(1.1) FC2 fc2.com <http://fc2.com> Online Website URLs XSS (cross site
scripting) Vulnerabilities (All URLs Under Domain blog.fc2.com/tag
<http://blog.fc2.com/tag>)*




*Vulnerability description:*

FC2 has a computer cyber security bug problem. It is vulnerable to XSS
attacks. Here is the description of XSS: "Hackers are constantly
experimenting with a wide repertoire of hacking techniques to compromise
websites and web applications and make off with a treasure trove of
sensitive data including credit card numbers, social security numbers and
even medical records. Cross-site Scripting (also known as XSS or CSS) is
generally believed to be one of the most common application layer hacking
techniques Cross-site Scripting allows an attacker to embed malicious
JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic
page to fool the user, executing the script on his machine in order to
gather data. The use of XSS might compromise private information,
manipulate or steal cookies, create requests that can be mistaken for those
of a valid user, or execute malicious code on the end-user systems. The
data is usually formatted as a hyperlink containing malicious content and
which is distributed over any possible means on the internet." (Acunetix)




The programming code flaw occurs at fc2 URLs' filenames . Fc2 only filter
part of the filenames in the urls. Almost all urls are affected under
domain blog.fc2.com/tag are affected. i.e.
http://blog.fc2.com/tag/drug/
http://blog.fc2.com/tag//アメリカ/
http://blog.fc2.com/tag/tag/翻訳
http://blog.fc2.com/tag//>レシピブログに参加中♪



The vulnerability can be attacked without user login. Tests were performed
on Firefox (37.02) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.


POC Code:
http://blog.fc2.com/tag/drug//"><img src=x onerror=prompt('justqdjing')>
http://blog.fc2.com/tag//アメリカ//"><img src=x onerror=prompt('justqdjing')>
http://blog.fc2.com/tag/tag/翻訳//"><img src=x onerror=prompt('justqdjing')>
http://blog.fc2.com/tag//>レシピブログに参加中//"><img src=x
onerror=prompt('justqdjing')>







*Poc Video:*
https://www.youtube.com/watch?v=jQ8dLbno6JQ


*Blog Detail:*
http://tetraph.com/security/xss-vulnerability/fc2-blog-xss/
http://securityrelated.blogspot.com/2015/06/fc2-fc2com-online-website-urls-xss.html







*(1.2) FC2 Online Web Service Open Redirect (Unvalidated Redirects and
Forwards) Cyber Security Vulnerabilities*



*(1.2.1) Vulnerability Description:*

FC2 online web service has a computer cyber security bug problem. It can be
exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks.
Here is the description of Open Redirect: "An open redirect is an
application that takes a parameter and redirects a user to the parameter
value without any validation. This vulnerability is used in phishing
attacks to get users to visit malicious sites without realizing it."  One
consequences of it is Phishing. (OWASP)


The program code flaw can be attacked without user login. Tests were
performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox
(37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple
Safari 6.1.6 of Mac OS X v10.9 Mavericks.


In fact, during the test, it is not hard to find URL Redirection bugs in
FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities.
These bugs were found by using URFDS.





*(1.2.2)* Use one of webpages for the following tests. The webpage address
is "http://securitypost.tumblr.com/". Can suppose that this webpage is
malicious.


Vulnerable URL 1:
http://blog.fc2.com/?jump=http%3A%2F%2Ffc2.com%2F

POC Code:
http://blog.fc2.com/?jump=http://www.tetraph.com/essayjeans/poems/distance.html



Vulnerable URL 2:
http://blogranking.fc2.com/out.php?id=104304&url=http%3A%2F%2Ffc2.com%2F

POC Code:
http://blogranking.fc2.com/out.php?id=104304&url=http://www.tetraph.com/essayjeans/poems/distance.html






*Poc Video:*
https://www.youtube.com/watch?v=r8vU2Z-ueQI


*Blog Detail:*
http://tetraph.com/security/open-redirect/fc2-service-open-redirect/
http://securityrelated.blogspot.com/2015/06/fc2-online-web-service-open-redirect.html





*(1.3) Vulnerability Disclosure:*
Those vulnerabilities were reported to rakuten-cert@rakuten.co.jp in 2014.
No one replied. Until now, they are still unpatched.









*(2) Rakuten XSS (cross site scripting) & Open Redirect*




*Domain:*
rakuten.com

"Rakuten, Inc. (楽天株式会社 Rakuten Kabushiki-gaisha?) is a Japanese electronic
commerce and Internet company based in Tokyo, Japan. Its B2B2C e-commerce
platform Rakuten Ichiba is the largest e-commerce site in Japan and among
the world’s largest by sales. Hiroshi Mikitani founded the company in
February 1997 as MDM, Inc., and is still its chief executive. Rakuten
Shopping Mall (楽天市場 Rakuten Ichiba?) started operations in May 1997. In
June 1999, the company changed its name to Rakuten, Inc. The Japanese word
rakuten means optimism. In 2012, the company's revenues totaled US$4.6
billion with operating profits of about US$244 million. In June 2013,
Rakuten, Inc. reported it had a total of 10,351 employees worldwide. In
2005, Rakuten started expanding outside Japan, mainly through acquisitions
and joint ventures. Its acquisitions include Buy.com (now Rakuten.com
Shopping in the US), Priceminister (France), Ikeda (now Rakuten Brasil),
Tradoria (now Rakuten Deutschland), Play.com (UK), Wuaki.tv (Spain), and
Kobo Inc. (Canada). The company has investments in Pinterest, Ozon.ru, AHA
Life, and Daily Grommet."  (Wikipedia)


The Alexa rank of rakuten.co.jp is 64 in May 29 2015. It is the second top
Japanese local service website.





*(2.1) Rakuten Website Search Page XSS (cross site scripting) Web Security
Vulnerability*

*(2.1.1) Vulnerability description:*
rakuten.de has a computer science security bug problem. It is vulnerable to
XSS attacks. Here is the description of XSS: "Cross-Site Scripting (XSS)
attacks are a type of injection, in which malicious scripts are injected
into otherwise benign and trusted web sites. XSS attacks occur when an
attacker uses a web application to send malicious code, generally in the
form of a browser side script, to a different end user. Flaws that allow
these attacks to succeed are quite widespread and occur anywhere a IEEE web
application uses input from a user within the output it generates without
validating or encoding it." (OWSAP)






*(2.1.2) *The program code flaw occurs at "&q" parameter in at
"suchen/asd/?" pages, i.e.
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=reddit_nice_music_news



The vulnerability can be attacked without user login. Tests were performed
on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The
bugs were found by using CSXDS.


Vulnerable URLs:
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment


POC Code:
http://www.rakuten.de/suchen/asd/?category_hierarchy=0&q=adcash_shopping_payment'
/"><img src=x onerror=prompt(/tetraph/)>






*Poc Video:*
https://www.youtube.com/watch?v=FK7nmuRupJI


*Blog Detail:*
https://vulnerabilitypost.wordpress.com/2015/06/11/rakuten-xss/
http://securityrelated.blogspot.com/2015/06/rakuten-website-search-page-xss-cross.html






*(2.1.3) Vulnerability Disclosure:*
Those vulnerabilities are patched now.







*(2.2) Rakuten Online Website Open Redirect (URL Redirection) Cyber
Security Vulnerabilities*



*(2.2.1) Vulnerability Description:*

Rakuten online website has a computer engineering security bug problem. It
can be exploited by URL Redirection (Unvalidated Redirects and Forwards)
attacks. Here is the description of Open Redirect: "A web application
accepts a user-controlled input that specifies a link to an external site,
and uses that link in a Redirect. This simplifies phishing attacks. An http
parameter may contain a URL value and could cause the web application to
redirect the request to the specified URL. By modifying the URL value to a
malicious site, an attacker may successfully launch a phishing scam and
steal user credentials. Because the server name in the modified link is
identical to the original site, phishing attempts have a more trustworthy
appearance." (From CWE)


"The Full Disclosure mailing list is a public forum for detailed discussion
of vulnerabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!"
A great many of the fllowing web securities have been published here,
Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL
injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated
Redirects and Forwards, Information Leakage, Denial of Service, File
Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML
Injection, Spam.


The program code flaw can be attacked without user login. Tests were
performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox
(37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple
Safari 6.1.6 of Mac OS X v10.9 Mavericks.


Since know only a little Japanese, not sure whether Rakuten pays much
attention to Open Redirect Vulnerabilities or not.





*(2.2.2)* Use one of webpages for the following tests. The webpage address
is "http://www.inzeed.com/kaleidoscope/". Can suppose that this webpage is
malicious.



Vulnerable URL 1:
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=https://www.netflix.com/movies/

POC Code:
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=http://www.inzeed.com/kaleidoscope/




Vulnerable URL 2:
http://affiliate.rakuten.com/fs-bin/click?u1=no_refer&id=Jv*v1/Wldzg&subid=0&offerid=229300.1&type=10&tmpid=6933&RD_PARM1=http%3A%2F%2Fadcash.com%2fmoney

POC Code:
http://affiliate.rakuten.com/fs-bin/click?u1=no_refer&id=Jv*v1/Wldzg&subid=0&offerid=229300.1&type=10&tmpid=6933&RD_PARM1=http://www.inzeed.com/kaleidoscope/




Vulnerable URL 3:
http://clickfrom.rakuten.com/default.asp?adid=17379&sURL=http%3A%2F%2Fwww.craigslist.org

POC Code:
http://clickfrom.rakuten.com/default.asp?sURL=http://www.inzeed.com/kaleidoscope/






*Poc Video:*
https://www.youtube.com/watch?v=uxsuLgAdpCw


*Blog Detail:*
http://tetraph.com/security/open-redirect/rakuten-open-redirect/
http://securityrelated.blogspot.com/2015/06/rakuten-open-redirect.html





*(2.2.3) Vulnerability Disclosure:*
Those vulnerabilities are not patched now.








*More Details:*
http://tetraph.com/security/web-security/fc2-rakuten-xss-and-url-redirection/
http://securityrelated.blogspot.com/2015/06/fc2-rakuten-online-websites-multiple.html






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing