[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Private Photos v1.0 iOS - Persistent Path Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-07-28 20:56:37
Message-ID: 51F58585.8000805 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Private Photos v1.0 iOS - Persistent Path Web Vulnerability
Date:
=====
2013-07-25
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1034
VL-ID:
=====
1034
Common Vulnerability Scoring System:
====================================
3.5
Introduction:
=============
You must have some private photos you don`t want others peeping. Private photos is \
the perfect app to keep your private photos safely in your iPad. Photos are \
protected by a password and you won`t worry your privacy when friends playing your \
iPad.
Now you can enjoy your private photos anytime, anywhere with your iPad. The built-in \
viewer can zoom in, zoom out, and slideshow photos, just like the experience with \
the native photos app.
Highlighted features:
- One password protection for photos viewing and transferring
- Web access via WIFI
- Multiple photos transferring
- Multi-touch support: swipe, zoom
- Slide show
Transferring your photos to the app is simple. You can easily access your private \
photos via WIFI from desktop/laptop`s web browser (Make sure your desktop/laptop is \
in the same WIFI network as your iPad). When connected to your iPad from web \
browser, you can select and transfer multiple photos with one click. The \
transferring is also protected by the same password.
(Copy of the Homepage: https://itunes.apple.com/de/app/my-private-photos/id427134970 \
)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered 2 persistent web \
vulnerabilities in the Private Photos v1.0 application (Apple iOS - iPad & iPhone).
Report-Timeline:
================
2013-07-25: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: Private Photos 1.0
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A persistent input validation web vulnerability is detected in the Private Photos \
v1.0 application (Apple iOS - iPad & iPhone). The bug allows an attacker (remote) to \
implement/inject malicious own malicious persistent script codes (application side).
The vulnerability is located in the `Add Directory` module of the web-server \
(http://localhost:8080) when processing to request via POST method manipulated \
`folder-names`. The folder name will be changed to the path value without secure \
filter, encode or parse. The injected script code will be executed in the path \
listing were the attacker injected earlier the code and of course also in the index \
listing of the mobile web application.
There is a security protection to filter single and double quotes. When processing to \
inject the code a messagebox pops up with the illegal characters exception. To \
bypass the exception the remote attacker can use simple obfuscated strings, embed \
code or html/js script codes (frames, scripts, img, embed and co.) without single & \
double quotes.
Exploitation of the persistent web vulnerability requires low user interaction and a \
local low privilege mobile application account with a password. Successful \
exploitation of the vulnerability can lead to persistent session hijacking \
(customers), account steal via persistent web attacks, persistent phishing or \
persistent module context manipulation.
Vulnerable Application(s):
[+] Private Photos v1.0 - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] Add Directory
Vulnerable Parameter(s):
[+] path (DIRECTORYNAME)
Affected Module(s):
[+] Index Listing
[+] Path/Folder Listing
Proof of Concept:
=================
The persistent input validation web vulnerability can be exploited by remote \
attackers with low privilege application user account and low or medium required \
user interaction. For demonstration or reproduce ...
PoC: Add Directory
<strong style="position:absolute; color:#226ebc; left:12px; top:0px; \
font-size:20px;">Private Photos</strong> <div style="position:absolute; \
font-size:15px; color:#444; right:12px; top:20px; font-size:15px; line-height:24px; \
text-align:right; width:360px;"><strong style="color:#F30;">The free version only \
allows 100 photos!</strong> <br><strong>Get the full verison in <a \
href="http://itunes.apple.com/app/id427134970?mt=8" style="color:#F60;" \
target="_blank">App Store</a></strong></div></div>
<div class="topbar_2" style="color:#FFC;">
<span style="position:absolute; right:10px;"><a href="javascript:addFolder();">
Add Directory</a> | <a id="AllSelect" href="javascript:selectAll()">Select All</a>
| <a href="javascript:if(confirm('Are%20you%20sure%20to%20delete?'))delPhoto();"
id="del" style="color:#F30;">Delete</a></span>
<span style="position:absolute; left:10px;">Photos/ ><[PERSISTENT INJECTED SCRIPT \
CODE VIA ADD DIRECTORY NAME]">/ <a \
href="javascript:window.location.href='..'" style="color:#F60"> <<Up
Level</a></span><span id="photoCount"></span>
Note: The application will attach the injected payload to the main server as \
folder/path name. example: http://localhost:8080/[payload]<
Solution:
=========
The vulnerability can be patched by a restriction of the foldername input and a \
secure encoding of the input. The output location of the foldername and path needs to \
be filtered and encoded by a secure mechanism.
Risk:
=====
The security risk of the persistent script code inject web vulnerability is estimated \
as medium.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@evolution-sec.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic