Document Title: =============== BarackObama Online Service - Persistent Web Vulnerability References (Source): ==================== Release Date: ============= 2011-09-11 Vulnerability Laboratory ID (VL-ID): ==================================== 270 Common Vulnerability Scoring System: ==================================== 5.7 Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered persistent Web Vulnerability on BarackObamas official website service. Vulnerability Disclosure Timeline: ================================== 2011-08-30: Vendor Notification 2011-09-19: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2011-09-12: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent high(-) priority Input Validation vulnerability is detected on BarackObamas official website service. Attacker can form malicious requests which pass through the backend (not parsed!) & can be displayed as outgoing mail. Attackers can hijack(steal) backend sessions of the portal users/admins & can send malicious mails by the original postbox. Vulnerable Module(s): [+] Signup Volunteer 2012 - BackEnd; Username;Mail & Video Affected by Bug(s): [+] Mail/Website output & multiple other website modules with the same user value output Pictures: ../1.png Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers. For demonstration or reproduce ... Reproduce manually ... Register on the volunteer form on the website with username & mail as [Script Code] tags When the malicious content wents through the backend the script code gets executed out of the website content or mail. PoC Review: *.eml Delivered-To: Received: by with SMTP id l19cs9469yaj; Sat, 3 Sep 2011 11:23:12 -0700 (PDT) Received: by with SMTP id w14mr1772614qcd.204.1315074191466; Sat, 03 Sep 2011 11:23:11 -0700 (PDT) Return-Path: Received: from ( []) by with ESMTP id n5si747729qcv.4.2011.; Sat, 03 Sep 2011 11:23:11 -0700 (PDT) Received-SPF: pass ( domain of designates as permitted sender) client-ip=; Authentication-Results:; spf=pass ( domain of designates as permitted sender); dkim=pass Received: by (Postfix, from userid 506) id 41A7CBE2C352; Sat, 3 Sep 2011 14:23:11 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ofakey; t=1315074191; bh=QHKCl0j8Cp0Mc3aZfKmyPjI9KjZ2eY5HJc9RIhBgTxM=; h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe: MIME-Version:Content-Type; b=c5oaAHYcTLcRj3uDwXviO+GYmWfF6tqYGPy4qHbz7aWZTsMd6hCUrbeK/tmkOJeww smvMW58wICsrzvLmziVdTETeSgFkxufSe5xCNH7EwuXC4C1zgpAHxs292kmZb8IDC4 UVDVKe5QN1g94HWU82RH8SgB2fsmagCrdxCbgCP8= Received: from maillist-o by with local (PHPMailer); Sat, 3 Sep 2011 14:23:11 -0400 Date: Sat, 3 Sep 2011 14:23:11 -0400 To: Rem0ve rmhaggi From: "Jeremy Bird," Reply-to: Subject: Can you organize in >"