[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] eBank IT Online Banking - Multiple Web Vulnerabilities
From: "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date: 2012-01-28 12:40:07
Message-ID: 4F23ECA7.9040505 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
eBank IT Online Banking - Multiple Web Vulnerabilities
Date:
=====
2012-01-26
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=313
VL-ID:
=====
313
Introduction:
=============
As a leading provider of innovative online banking software solutions, eBank-IT! provides
an accessible venue for offering a full-valued online banking platform to your clients,
using a cross-browser interface that`s secure and free of complexities and considering
maximum privacy and data protection procedures, as well as a wide scope of contenual
functionalities, which exceed the standard scope of most major online banking systems
in the world.
(Copy of the Vendor Website: http://www.ebank-it.com/ )
Abstract:
=========
Vulnerability-Lab Team (Chokri B.A.) discovered multiple refelctive web vulnerability on the \
Online Banking Software eBank-IT.
Report-Timeline:
================
2011-11-08: Vendor Notification
2011-**-**: Vendor Response/Feedback
2011-**-**: Vendor Fix/Patch
2012-01-27: Public or Non-Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple refelctive cross site vulnerabilities are detected on the online banking software \
eBank-IT. The bug allows remote attacker to implement malicious script code on the application \
side. Successful exploitation of the vulnerability allows an attacker to manipulate specific \
modules & can lead to session hijacking (user/mod/admin).
Vulnerable Module(s):
[+] login
[+] requestpw
Pictures:
../1.png
../2.png
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with low required user inter action. \
For demonstration or reproduce ...
<tr>
<td width="7%"> <img src="images2/icons/error.gif"></td>
<td width="94%" class="cal_font">\"><img \
src=http://www.vulnerability-lab.com/gfx/partners/vlab.png /> </td> </tr>
<tr>
<td colspan="3" align="center">\"><img \
src=http://www.vulnerability-lab.com/gfx/partners/vlab.png /> </td> </tr>
Risk:
=====
The security risk of the reflective xss vulnerabilities are estimated as medium.
Credits:
========
Vulnerability Research Laboratory - Chokri B.A (Me!ster)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2012|Vulnerability-Lab
--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic