Nabukadnezar Posted February 12, 2009 Report Posted February 12, 2009 ==============================================Security Advisory: Banks in Taiwanmilitan (Lin, Chia-Jun)militan.c7 [at] gmail.comAdvanced Defense Lab, NCU CSIE TAIWAN12th February, 2009==============================================I. VULNERABILITY-------------------------Blind Command(SQL, LDAP) InjectionInformation LeakageBanks below are vulnerable:Union bank of Taiwan. www.ubot.com.twSinoPac Securities. www.sinotrade.com.twprudential uk in Taiwan. www.pcafunds.com.tw II. DESCRIPTION-------------------------Some banks or fund companies contain vulnerabilities while handling account information,it may cause information leakage. Usually the input is sanitized indeed, but some specific pages do not perform the validation properly.Otherwise, sometimes error messages also show the architecture of web sites.III. POC-------------------------1. Union bank: may be susceptible to blind injection.http://adl.csie.ncu.edu.tw/~militan/Ubot1.jpghttp://adl.csie.ncu.edu.tw/~militan/Ubot2.jpg2. prudential uk in Taiwan: Get information first(JNDI LDAP), then do the LDAP injection.http://adl.csie.ncu.edu.tw/~militan/PCAFunds1.jpghttp://adl.csie.ncu.edu.tw/~militan/PCAFunds2.jpghttp://adl.csie.ncu.edu.tw/~militan/PCAFunds3.jpg3. SinoPac Securities: The page re-generates the password in Javascript. It`s not a vulnerability, but a insecure behavior in programming.http://adl.csie.ncu.edu.tw/~militan/SinoTrade.JPGIV. SOLUTION& CONCLUSION-------------------------Strip all symbols in ANY input variable.This advisory prove that sites of banks are not secure enough.Vulnerabilities may be fixed up in a very short time because details were sent to them alreadyCiti?i ?i:http://www.koreatimes.co.kr/www/news/tech/2009/02/129_39347.html Quote