what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Boxcryptor Cross Site Scripting

Boxcryptor Cross Site Scripting
Posted Feb 14, 2014
Authored by Vicente Aguilera Diaz

Boxcryptor.com suffered from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | aab48458247a4d57f3545b2250a6b9478315321df0e69c78e7b61de5f2d118d3

Boxcryptor Cross Site Scripting

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2014-001
- Original release date: February 4, 2014
- Last revised: February 4, 2014
- Discovered by: Vicente Aguilera Diaz
- Severity: 4.3/10 (CVSSv2 Base Scored)
- CVE-ID: -
=============================================

I. VULNERABILITY
-------------------------
Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com).


II. BACKGROUND
-------------------------
Boxcryptor is an easy-to-use encryption software optimized for the
cloud. It allows the secure use of cloud storage services without
sacrificing comfort.

Boxcryptor supports all major cloud storage providers (such as Dropbox,
Google Drive, Microsoft SkyDrive, SugarSync) and supports all the clouds
that use the

WebDAV standard (such as Cubby, Strato HiDrive, and ownCloud).


III. DESCRIPTION
-------------------------
Has been detected a XSS vulnerability in www.boxcryptor.com.

Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web
sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser
side script, to a

different end user. Flaws that allow these attacks to succeed are quite
widespread and occur anywhere a web application uses input from a user
in the output

it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting
user. The end user’s browser has no way to know that the script should
not be trusted,

and will execute the script. Because it thinks the script came from a
trusted source, the malicious script can access any cookies, session
tokens, or other

sensitive information retained by your browser and used with that site.
These scripts can even rewrite the content of the HTML page.


IV. PROOF OF CONCEPT
-------------------------
Next, we show a typical request to save changes in "My Account" option:

POST /app/user/modify/<userID> HTTP/1.1
Host: www.boxcryptor.com
...
firstname=<firstname>&lastname=<lastname>&username=<email>&_newsletter=

where:
- <userID> is a numeric user ID generated by boxcryptor
- <firstname> is the firstname specified by the user
- <lastname> is the lastname specified by the user
- <email> is the email address specified by the user

A malicious user can inject arbitrary HTML/script code in the <email>
parameter.
For example:

POST /app/user/modify/3805739018726483071 HTTP/1.1
Host: www.boxcryptor.com
...
firstname=John&lastname=Smith&username=johnsmith@gmail.com<H1><center>This+is+a+XSS+example</center></H1>&_newsletter=


V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser. This can leverage to steal sensitive information as user
credentials,

personal data, etc.


VI. SYSTEMS AFFECTED
-------------------------
www.boxcryptor.com


VII. SOLUTION
-------------------------
-


VIII. REFERENCES
-------------------------
http://www.isecauditors.com
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)


IX. CREDITS
-------------------------
This vulnerability has been discovered
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).


X. REVISION HISTORY
-------------------------
February 4, 2014: Initial release


XI. DISCLOSURE TIMELINE
-------------------------
February 4, 2014: Discovered by Internet Security Auditors
February 6, 2014: Contact with the developer team
February 10, 2014: Confirmed by vendor
February 10, 2014: Vendor deployed a new version
February 13, 2014: Internet Security Auditors release the advisory


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Internet
Security

Auditors accepts no responsibility for any damage caused by the use or
misuse of this information.


XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and

assessing. Our clients include some of the largest companies in areas
such as finance, telecommunications, insurance, ITC, etc. We are vendor
independent

provider with a deep expertise since 2001. Our efforts in R&D include
vulnerability research, open security project collaboration and
whitepapers,

presentations and security events participation and promotion. For
further information regarding our security services, contact us.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close