Full Disclosure: Re: Facebook URL Redirect Vulnerability

Re: Facebook URL Redirect Vulnerability

From: Nathan Power <np () securitypentest com>
Date: Wed, 2 Mar 2011 10:45:51 -0500

This rule can be subverted because of the content keyword.

Below is an example:
http://apps.facebook.com/truthsaboutu/track.php?a=a&r=http://www.securitypentest.com

Add two content keywords 'track.php?' and 'r='


Nathan Power
www.securitypentest.com



On Mon, Feb 28, 2011 at 3:35 PM, Weir, Jason <jason.weir () nhrs org> wrote:

 Here's a snort rule that will detect this

alert tcp $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22]
$HTTP_PORTS (msg:"Facebook URL Redirect Vulnerability";
flow:established,to_server; content:"GET"; nocase; http_method;
content:"track.php?r="; nocase; http_uri; reference:
lists.grok.org.uk/pipermail/full-disclosure/2011-February/079577.html;
sid:xxxxxxx; rev:1;)

-J

 -----Original Message-----
*From:* full-disclosure-bounces () lists grok org uk [mailto:
full-disclosure-bounces () lists grok org uk] *On Behalf Of *Nathan Power
*Sent:* Monday, February 28, 2011 12:43 PM
*To:* Full Disclosure
*Subject:* [Full-disclosure] Facebook URL Redirect Vulnerability

------------------------------------------------------------------
1. Summary:

Once the victim clicks on a specially crafted Facebook URL they can be
redirected to a malicious website.
------------------------------------------------------------------
2. Description:

Facebook applications use of 'track.php?r=' doesn't sanitize the
redirection input properly.  This allows an attacker to input any URL that a
victim will get redirected too.  It is not required for the victim to be
login to Facebook for this attack to work.

The following is an example of a vulnerable URL:

http://apps.facebook.com/truthsaboutu/track.php?r=http://www.securitypentest.com

The following Google search query can be used to find vulnerable URLs:
site:facebook.com inurl:"track.php?" inurl:"r="
------------------------------------------------------------------
3. Impact:

Potentially allow an attacker to compromise a victim’s Facebook account
and/or computer system.
------------------------------------------------------------------
4. Affected Products:

www.facebook.com
------------------------------------------------------------------
5. Solution:  None
------------------------------------------------------------------
6. Time Table:

2/27/2011 Reported Vulnerability to the Vendor
------------------------------------------------------------------
7. Credits:

Discovered by Nathan Power
www.securitypentest.com
------------------------------------------------------------------

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Facebook URL Redirect Vulnerability Weir, Jason (Mar 02)
- Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
  - Re: Facebook URL Redirect Vulnerability Weir, Jason (Mar 02)
- <Possible follow-ups>
- Re: Facebook URL Redirect Vulnerability Andrew Farmer (Mar 02)
  - Re: Facebook URL Redirect Vulnerability Chris Evans (Mar 02)
  - Re: Facebook URL Redirect Vulnerability Wesley Kerfoot (Mar 02)
  - Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
    - Re: Facebook URL Redirect Vulnerability Andrew Farmer (Mar 02)
    - Re: Facebook URL Redirect Vulnerability Nathan Power (Mar 03)
    - Re: Facebook URL Redirect Vulnerability Chris Evans (Mar 03)
    - Re: Facebook URL Redirect Vulnerability Javier Bassi (Mar 03)
    - Re: Facebook URL Redirect Vulnerability Valdis . Kletnieks (Mar 03)