Hello,
I consider this new report to be similar to issue #5 which is currently open.
Best regards,
--
Thibaud Antignac
CEA List
From: security <security-bounces(a)server.sparta.eu> on behalf of Security Researcher <vaishnaviresearcher(a)gmail.com>
Date: Thursday 26 November 2020 at 17:46
To: "security(a)sparta.eu" <security(a)sparta.eu>
Subject: [security] BUG REPORT
Dear Team ,
I am Vaishnavi Pardeshi working as a security researcher and I found a bug in your site report of bug is as follows :
a) Vulnerability name : clickjacking (CRITICAL)
b) Vulnerability Description :
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
This vulnerability affects Web Server.
c) Steps to reproduce :
1. Copy URL of website and paste it in clickjacking code
2. This is sample code
Create a new HTML file
put <iframe src="https://www.sparta.eu/" id="frame1" width="100%"
height="100%" >
3. Open html file with another browser and click on click here and see it is redirected to bing.com<http://bing.com/> .
d) POC :
I have attached Screenshot as well as code of clickjacking :
<html>
<head>
<title>Clickjack test page</title>
</head>
<style>
#myBtn{
z-index: 999;
position: absolute;
top: 100px;
right: 50px;
color: white;
background-color: red;
}
</style>
<body>
<!-- <h1> A Sample Test Page </h1>
<p>Website is vulnerable to clickjacking! </p>
<p>Avoid random clicks </p> -->
<div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%">
<iframe src="https://www.sparta.eu/" id="frame1" width="100%"
height="100%" >
</iframe></div>
<div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;">
<a href="https://www.bing.com/?toWww=1&redig=D1C96AD6DC434FA59D3D2AC05339EA9B" target="_blank"><button id="myBtn"> click here</button></a>
<div id="myModal" class="modal">
<!-- Modal content -->
</div>
</body>
</html>
e) Solution :
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
f) Impact:
By using Clickjacking technique, an attacker hijack click's meant for one page and route them to another page, most likely for another application, domain, or both.
With Kind regards ,
Vaishnavi Pardeshi
Hello,
I consider this new report to be similar to issue #6 which is currently open.
Best regards,
--
Thibaud Antignac
CEA List
From: security <security-bounces(a)server.sparta.eu> on behalf of Security Researcher <vaishnaviresearcher(a)gmail.com>
Date: Thursday 26 November 2020 at 17:41
To: "security(a)sparta.eu" <security(a)sparta.eu>
Subject: [security] BUG REPORT
Dear Team,
I am Vaishnavi Pardeshi working as a security researcher and I found a bug in your website . Report of bug is as Follows .
a) VULNERABILITY TYPE- SPF RECORD NOT FOUND
b) HOW TO REPRODUCE(POC-ATTACHED IMAGE):-
1.GO TO- https://www.kitterman.com/spf/validate.html<https://mxtoolbox.com/>
2.put this " sparta.eu<http://sparta.eu> " and CLICK GET SPF RECORD
3.YOU WILL SEE THE FAULT(NO SPF RECORD FOUND )
4.In the new page that loads shows NO SPF RECORD FOUND
c) Impact
Not having SPF (Sender Policy Framework) record for a domain may help an attacker to send spoofed email, which will look like, originated from the real domain. Not only that, but this will also result in land emails in the SPAM box when SPF missing.
d) Solution :
Enable SPF RECORD
Kind regards ,
Vaishnavi Pardeshi
Hello,
I consider this new report to be similar to issue #4 which is currently open.
Best regards,
--
Thibaud Antignac
CEA List
From: security <security-bounces(a)server.sparta.eu> on behalf of Security Researcher <vaishnaviresearcher(a)gmail.com>
Date: Thursday 26 November 2020 at 17:40
To: "security(a)sparta.eu" <security(a)sparta.eu>
Subject: [security] BUG REPORT
Dear Team ,
I am Vaishnavi Pardeshi working as a security researcher and I found a bug in your website . Report of bug is as Follows .
a) VULNERABILITY TYPE- DMARC RECORD MISSING.
b) HOW TO REPRODUCE(POC-ATTACHED IMAGE):-
1.GO TO- https://mxtoolbox.com<https://mxtoolbox.com/>
2.put this "sparta.eu<http://sparta.eu> " and CLICK GO.
3.YOU WILL SEE THE FAULT(No DMARC Record found)
4.In the new page that loads shows No Dmarc record found
c) Impact
Spammers can forge the "From" address on email messages to make messages appear to come from someone in your domain. If spammers use your domain to send spam or junk email, your domain quality is negatively affected. People who get the forged emails can mark them as spam or junk, which can impact authentic messages sent from your domain.
d) Solution :
Enable DMARC record
Kind regards ,
Vaishnavi Pardeshi
Hello Patrick,
This email is about security issue #5 reported yesterday on security(a)sparta.eu<mailto:security@sparta.eu>. It does not seem to be a critical security issue but this could be better to have X-Frame-Options headers activated at the web server level for sparta.eu domain and subdomains (with other security measures such as CSP frame-ancestors directoves for instance). Could you please have a look at this?
Best regards,
--
Thibaud Antignac
CEA List
From: security <security-bounces(a)server.sparta.eu> on behalf of Sakshi Patil <sakshipatil017(a)gmail.com>
Date: Sunday 22 November 2020 at 15:47
To: "security(a)sparta.eu" <security(a)sparta.eu>
Subject: [security] (Bug Report)Click jacking.
Vulnerability Name : Click jacking
Target URL:https://www.sparta.eu/
Vulnerability Description :
Click jacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a click jacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid click jacking attacks, by ensuring that their content is not embedded into other sites.
Typically there is one type of attack - cross site request forgeries (CSRF) that can interact with functions on other websites.
1) This vulnerability affects Web Server.
<html>
<head>
<title>Clickjack test page</title>
</head>
<style>
#myBtn{
z-index: 999;
position: absolute;
top: 100px;
right: 50px;
color: white;
background-color: red;
}
</style>
<body>
<!-- <h1> A Sample Test Page </h1>
<p>Website is vulnerable to click jacking! </p>
<p>Avoid random clicks </p> -->
<div style="z-index:-9999; position:absolute;top:0; left:0;width: 70%; height:70%">
<iframe src="https://www.sparta.eu/
"frame1" width="100%"
height="100%" >
</iframe></div>
<div align="right" style="position:absolute; top:1; left:0; z-index:1; width: 70%;height:60%; text-align:left;">
<a href="https://www.sparta.eu/
"target="_blank"><button id="myBtn"> click here</button></a>
<!-- <a href="https://www.sparta.eu/
"><button id="myBtn">Open Modal</button></a> -->
<div id="myModal" class="modal">
<!-- Modal content -->
</div>
</body>
</html>
2.save it as <any name>.html eg s.html
3.and just simply open that..and click on button(direct login) its redirect https://www.sparta.eu/
As far as i know this data is enough to prove that your site is vulnerable to Click jacking.
Impact:
Attacker may tricked user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivated .
Attachment:
Hello Patrick,
This email is about security issue #6 reported yesterday on security(a)sparta.eu<mailto:security@sparta.eu>. It does not seem to be a critical security issue but this would be better to have SPF records to the sparta.eu domain and subdomains (DKIM and DMARC are dealt with in security issue #4). Could you please have a look at this?
At the moment, we have only
server.sparta.eu IN TXT "v=spf1 mx -all"
in the DNS zone.
Best regards,
--
Thibaud Antignac
CEA List
From: security <security-bounces(a)server.sparta.eu> on behalf of Sakshi Patil <sakshipatil017(a)gmail.com>
Date: Sunday 22 November 2020 at 15:52
To: "security(a)sparta.eu" <security(a)sparta.eu>
Subject: [security] (Bug Report)No valid SPF record.
Vulnerability Name:No valid SPF record.
DESCRIPTION:
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
Vulnerable Domain :sparta.eu<http://sparta.eu>
Steps To Reproduce:
1) Checking Missing SPF:
There Are Various Ways of Checking Missing SPF Records on a website But the Most Common and Popular way is kitterman.com<http://kitterman.com/>
Steps to Check SPF Records on a website:-
Go to http://www.kitterman.com/spf/validate.html
Enter Target Website Ex:sparta.eu<http://sparta.eu>
(Do Not Add https/http or www)Hit Check SPF (IF ANY)
If You seem any SPF Record than Domain is Not Vulnerable But if you see no SPF
record here,it is vulnerable
2) Attack Scenario & Poc:
Once There is No SPF Records.An Attacker Can Spoof Email Via any Fake Mailer Like Emkei.cz.An<http://emkei.cz.an/> Attacker Can Send Email From name "Security" and Email: "security(a)target.com<mailto:security@target.com>" With Social Engineering Attack He Can TakeOver User Account Let Victim Knows the Phishing Attack but When He See The Email from the Authorized Domain.He Got tricked Easily.
Exploit:
For testing i am forgering support(a)sparta.eu<http://sparta.eu>
How to reproduce this
1.Go to https://emkei.cz/
2. Fill all the details
like
Name - support sparta
email - support(a)sparta.eu<http://sparta.eu>
to - my email address
etc
send email
3. It will directly send a mail from support(a)sparta.eu<http://sparta.eu>
to my email
Impact :
Attacker can use official mail for phishing attack. which can be used for phishing attack. At it is from official mail, user will definitely trust it and will be tricked in phishing trap.
Attachment:
Hello Patrick,
This email is about security issue #4 reported yesterday on security(a)sparta.eu<mailto:security@sparta.eu>. It does not seem to be a critical security issue but this would be better to have DKIM and DMARC records to the sparta.eu domain and subdomains (SPF is dealt with in security issue #6 to follow). Could you please have a look at this?
Best regards,
--
Thibaud Antignac
CEA List
From: security <security-bounces(a)server.sparta.eu> on behalf of Sakshi Patil <sakshipatil017(a)gmail.com>
Date: Sunday 22 November 2020 at 15:43
To: "security(a)sparta.eu" <security(a)sparta.eu>
Subject: [security] (Bug Report)DMARC RECORD MISSING.
Vulnerability Name: DMARC RECORD MISSING
Vulnerable URL:https://www.sparta.eu/
HOW TO REPRODUCE(POC-ATTACHED):-
1.GO TO- https://mxtoolbox.com/
2.ENTER THE WEBSITE(sparta.eu<http://sparta.eu>).
CLICK GO.
3.YOU WILL SEE THE FAULT(No DMARC Record found).
4.In the new page that loads change MXLookup to DMARCLookup.
Extra information
Impact:
Spammers can forge the "From" address on email messages to make messages appear to come from someone in your domain.
If spammers use your domain to send spam or junk email, your domain quality is negatively affected.
People who get the forged emails can mark them as spam or junk, which can impact authentic messages sent from your domain.
Attachment:
Dear SPARTA partners,
Thank you to Matthias for having pointed out these three security issues:
#1 – reported on 2019 02 18, disclosed on 2019 03 12 – HTTP page with form for MLs
#2 – reported on 2019 02 18, disclosed on 2019 03 12 – Certificate for https://server.sparta.eu
#3 – reported on 2019 03 12, disclosed on 2019 03 12 – Public access to MLs archives
#3, the most critical one, has been fixed almost immediately. #1 and #2 have been addressed and tests are being made to ensure they can also be considered as fixed.
The Project Security Officer of SPARTA (Florent Kirchner, CEA) scheduled a Security Advisory Board meeting to discuss about this incident and improve the procedures and technical measures. Meetings with TNK (in charge of the IT infrastructure) and UBON (having reported the issues) are also being scheduled to get more information about the circumstances. A more complete description of the incident will be sent once the whole situation is better understood.
The Security Advisory Board, composed of the Project Security Officer, the Program leaders, the Ethics Committee chair, and the Dissemination Committee chair can be contacted at bodies.security-advisory-board(a)internal.sparta.eu (and security(a)sparta.eu for external parties).
Do not hesitate to contact the Security Advisory Board or the coordination at bodies.coordination(a)internal.sparta.eu for matters and questions related to this incident. Please be sure we are fully committed on its complete resolution.
Best regards,
--
Thibaud Antignac
CEA List
