Jump to content
Nabukadnezar

Security Advisory: Banks in Taiwan (by militan)

Recommended Posts

Posted

==============================================

Security Advisory: Banks in Taiwan

militan (Lin, Chia-Jun)

militan.c7 [at] gmail.com

Advanced Defense Lab, NCU CSIE TAIWAN

12th February, 2009

==============================================

I. VULNERABILITY

-------------------------

Blind Command(SQL, LDAP) Injection

Information Leakage

Banks below are vulnerable:

Union bank of Taiwan. www.ubot.com.tw

SinoPac Securities. www.sinotrade.com.tw

prudential uk in Taiwan. www.pcafunds.com.tw

II. DESCRIPTION

-------------------------

Some banks or fund companies contain vulnerabilities while handling account information,

it may cause information leakage.

Usually the input is sanitized indeed, but some specific pages do not perform the validation properly.

Otherwise, sometimes error messages also show the architecture of web sites.

III. POC

-------------------------

1. Union bank: may be susceptible to blind injection.

http://adl.csie.ncu.edu.tw/~militan/Ubot1.jpg

http://adl.csie.ncu.edu.tw/~militan/Ubot2.jpg

2. prudential uk in Taiwan: Get information first(JNDI LDAP), then do the LDAP injection.

http://adl.csie.ncu.edu.tw/~militan/PCAFunds1.jpg

http://adl.csie.ncu.edu.tw/~militan/PCAFunds2.jpg

http://adl.csie.ncu.edu.tw/~militan/PCAFunds3.jpg

3. SinoPac Securities: The page re-generates the password in Javascript. It`s not a vulnerability, but a insecure behavior in programming.

http://adl.csie.ncu.edu.tw/~militan/SinoTrade.JPG

IV. SOLUTION& CONCLUSION

-------------------------

Strip all symbols in ANY input variable.

This advisory prove that sites of banks are not secure enough.

Vulnerabilities may be fixed up in a very short time because details were sent to them already

Citi?i ?i:

http://www.koreatimes.co.kr/www/news/tech/2009/02/129_39347.html

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...