My friend Mike drunk-dials me one evening and leaves a voicemail. He’s out in Boulder for TechStars 2007. Apparently, some friendly harassment over drinks between companies was pushed to the next level. EventVue’s team bet Mike a dinner and some cash that a hack couldn’t be slipped in on their website.
~ Who ya gonna call? ~
I get started Thursday afternoon with a whois/ping of the server, and basically do my homework to make sure all the registration information is what it should be. What can I say - even though I’m being given an account on their server, I still like to feel comfortable before I (possibly) break the law.
Rules of the contest are to find a site modification hack. This has been defined as:
- XSS
- SQL Injection
- Remote Root
I plan on focusing on XSS attacks as they’re easy and have the least potential to cause long-term damage. SQL injection investigation can result in inconsistent database states, and a remote root means a painful security audit for someone who isn’t me.
Their development web server is protected using HTTP authorization - plaintext. I haven’t been given a username and password yet. Therefore, I send Mike a text message and wait to get some permissions.
In the mean time, I refresh my memory on various PHP artifacts. It was mentioned that magic quotes are enabled as a security precaution. A mental echo tells me that the feature is a false sense of security option and that most deployments have it turned off. I read documentation to refresh my memory. For the uninformed, it’s a mechanism where incoming GET and POST data is unconditionally escaped. It’s generally disabled on servers because of the headaches it causes in repeated escaped data being passed from page to page. It also offers limited protection for SQL injection, as it
s often easy to bypass in cases of alternate delimeters.
30 minutes pass.
Mike sends me a username and password via text message. It isn’t the most secure password, but whatever - I don’t plan on running a dictionary attack or anything.
I logged into the development site and it’s a slightly more broken version of their normal front page. And, I apparently still need an invite. Another phone call to Mike…
30 more minutes pass.
I receive further login details and immediately am greeted with an inauspicious beginning. In their login page, the authentication fields are pre-filled with the incorrect credentials I had supplied earlier. I don’t have Javascript enabled yet (NoScript) and I planned on taking a look at the cookies later but… I decided to look then.
There were only session IDs. Their server is storing the username and password cleartexts keyed to the session ID and then pushing them back to the client in the HTML. If I find a XSS, then I can steal anyone’s username and password by requesting their login page.
Also, my username and password still don’t work.
While I wait for further details from Mike, I suss out the beginnings of a POC. The login page is XSS’able via its authentication fields. I can cull passwords via an XSS against it and then XMLHTTP’ing the password scraped from the DOM back.
Though, it is destructive on the username, but I think that can be worked around.
20 minutes pass.
I’m finally in the site. It was a matter of a “beta.” vs. “dev.” URL. I take a look at “Account Settings” and they’re kicking back the username and password there too in cleartext. So, the login page XSS doesn’t need any trickery to work around.
Their search page uses some odd search-and-replace mechanism on the query quoting. I can’t figure it out too much, but a simple XSS of:
/search?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Works just fine. But, I still want to find an injection hole in order to make something self-replicating.
The profile page is where they spent their lock-down time. Every field has aggressive HTML stripping and magic quotes applied. This makes for some ugly formatting bugs, but I can’t immediately push an XSS through there. The HTML filter is something along the lines of:
regexp_replace(”\<^\w*>”, “”)
I feel that there should be some trick to using magic quotes and their inconsistent use of stripslahes to bypass it all. Specifically, they strip on some output (profile page) and not on others (profile edit page). I’m surprised they just don’t use htmlspecialchars and be done with it.
An hour passes.
I called Mike to let him know I win. While I think my earlier XSS attacks were enough, I finally found a on-site modification. Changing the user’s name to a quote injected with an onload event worked. It triggers on all other users when they visit the Community Page too.
Does this mean I win a free trip to Boulder, and Munchy’z tomorrow? Sweet deal.
This was first posted 2007-07-06 but taken down because EventVue was nascent. It’s back now, for keepsies.
Leave a Reply