Title: ====== Private Photos v1.0 iOS - Persistent Path Web Vulnerability Date: ===== 2013-07-25 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1034 VL-ID: ===== 1034 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= You must have some private photos you don`t want others peeping. Private photos is the perfect app to keep your private photos safely in your iPad. Photos are protected by a password and you won`t worry your privacy when friends playing your iPad. Now you can enjoy your private photos anytime, anywhere with your iPad. The built-in viewer can zoom in, zoom out, and slideshow photos, just like the experience with the native photos app. Highlighted features: - One password protection for photos viewing and transferring - Web access via WIFI - Multiple photos transferring - Multi-touch support: swipe, zoom - Slide show Transferring your photos to the app is simple. You can easily access your private photos via WIFI from desktop/laptop`s web browser (Make sure your desktop/laptop is in the same WIFI network as your iPad). When connected to your iPad from web browser, you can select and transfer multiple photos with one click. The transferring is also protected by the same password. (Copy of the Homepage: https://itunes.apple.com/de/app/my-private-photos/id427134970 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered 2 persistent web vulnerabilities in the Private Photos v1.0 application (Apple iOS - iPad & iPhone). Report-Timeline: ================ 2013-07-25: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: Private Photos 1.0 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation web vulnerability is detected in the Private Photos v1.0 application (Apple iOS - iPad & iPhone). The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side). The vulnerability is located in the `Add Directory` module of the web-server (http://localhost:8080) when processing to request via POST method manipulated `folder-names`. The folder name will be changed to the path value without secure filter, encode or parse. The injected script code will be executed in the path listing were the attacker injected earlier the code and of course also in the index listing of the mobile web application. There is a security protection to filter single and double quotes. When processing to inject the code a messagebox pops up with the illegal characters exception. To bypass the exception the remote attacker can use simple obfuscated strings, embed code or html/js script codes (frames, scripts, img, embed and co.) without single & double quotes. Exploitation of the persistent web vulnerability requires low user interaction and a local low privilege mobile application account with a password. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent module context manipulation. Vulnerable Application(s): [+] Private Photos v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add Directory Vulnerable Parameter(s): [+] path (DIRECTORYNAME) Affected Module(s): [+] Index Listing [+] Path/Folder Listing Proof of Concept: ================= The persistent input validation web vulnerability can be exploited by remote attackers with low privilege application user account and low or medium required user interaction. For demonstration or reproduce ... PoC: Add Directory <strong style="position:absolute; color:#226ebc; left:12px; top:0px; font-size:20px;">Private Photos</strong> <div style="position:absolute; font-size:15px; color:#444; right:12px; top:20px; font-size:15px; line-height:24px; text-align:right; width:360px;"><strong style="color:#F30;">The free version only allows 100 photos!</strong> <br><strong>Get the full verison in <a href="http://itunes.apple.com/app/id427134970?mt=8" style="color:#F60;" target="_blank">App Store</a></strong></div></div> <div class="topbar_2" style="color:#FFC;"> <span style="position:absolute; right:10px;"><a href="javascript:addFolder();"> Add Directory</a> | <a id="AllSelect" href="javascript:selectAll()">Select All</a> | <a href="javascript:if(confirm('Are%20you%20sure%20to%20delete?'))delPhoto();" id="del" style="color:#F30;">Delete</a></span> <span style="position:absolute; left:10px;">Photos/ ><[PERSISTENT INJECTED SCRIPT CODE VIA ADD DIRECTORY NAME]">/ <a href="javascript:window.location.href='..'" style="color:#F60"> <<Up Level</a></span><span id="photoCount"></span> Note: The application will attach the injected payload to the main server as folder/path name. example: http://localhost:8080/[payload]< Solution: ========= The vulnerability can be patched by a restriction of the foldername input and a secure encoding of the input. The output location of the foldername and path needs to be filtered and encoded by a secure mechanism. Risk: ===== The security risk of the persistent script code inject web vulnerability is estimated as medium. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright � 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.comБрой прочитания на тази страница: 1262
Private Photos 1.0 iOS – Persistent XSS