* iAuto Mobile Application 2012
A persistent input validation vulnerability is detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability
is located in comments module with the bound vulnerable commentSid parameter. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account.
Multiple non persistent cross site scripting vulnerabilities are detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The bugs are located in the Dealer > Search Sellers or Browse by Make and Model with the bound vulnerable parameters city & path/url. Successful exploitation can result in account steal, client side phishing & client-side content request manipulation. Exploitation requires medium or high user inter action & without privileged web application user account.
[+] Dealer > Search Sellers > City
[+] Browse by Make and Model > /../ >
[+] Folder Access Listing
The persistent vulnerabilities can be exploited by remote attackers with low privileged user account and with low required user inter action.
For demonstration or reproduce ...
Review: Add Comments - Listing
<h1>Reply to The Comment</h1>
<div class="commentInfo">You are replying to the comment
#"><iframe src="iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])' <="" to=""
listing="" #448="" "<span="" class="fieldValue fieldValueYear" height="900" width="1000">2007</span>
<span class="fieldValue fieldValueMake">Acura</span>
The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired user inter action.
Fo demonstration or reproduce ...