GESEC Team discovered some remote vulnerabilities on US Marine Corps Website. A remote attacker is able to include malicious routines which can be execute against customers on server-side.  The inputs on PATH are not validated/parsed and an attacker could include malicious code/scripts which can be combined with other functions in the CMS. The result is a code exectuion(server-side) based on  the application.

In the following picture the website of Marines.com is shown.

The next picture shows the user application area with red marked vulnerable “Path” & “MyFavorite” functions.

The “MyFavorites” module with the albums has several security bugs. The Inputs are not validated/parsed and a potential  attacker can include malicious code/scripts which can be combined with the share functions. A potential remote attacker can send his malicious codes to the application customers (server-side) to get passwords, sessions or exploit the customers system on client-side.

We had a lot of fun to discovering and analyzing  this vulnerability. Interesting was  the combined attack through the misconfiguration of the share function.

The following advisory is produced by ~remove and released publicly on governmentsecurity.org by “Glyph” a project-admin & the marines issue report form. The complete advisory with poc is just available for the website vendors of marines.com!

Advisory: United State Marine Corps Website – Multiple Vulnerabilities

Information: Do not crack government or military systems!
www.marines.com/rmi/reportissue

[Writer: ~remove & ~x4lt]