2012
03.21

Finally, here it is the second part…

First, I’ll explain to what I’ve gained access.

On the testing server I gained access to the PMS – Property Management System. On the production server I’ve gained access to the booking system of  “Hotels P” group.

There were a lot of factors that allowed me to gain access to the restricted areas, the most important one was definitely information gathered from viewing the Youtube Video. This was actually the key point in all of this..

Let’s start by talking about the information I gathered from watching the video.

On the YouTube video, I saw several URL’s being displayed, the domain that these URL’s were on, was clearly a testing server of some kind, since it was a numbered sub domain of the company main domain, something like w4.maindomain.pt. And since I used to work there, I knew instantly that this was the testing server.

In the YouTube video, one of the Invoices that is showed, shows clearly the logo of one of their clients. Now I have the knowledge that this client almost certainly has this application installed ( speculation off course, but I have this information ).

After knowing this, I decided to go to that client site, I couldn’t enter because it kept on redirecting to the homepage, I thought it was redirecting based on some kind of whitelisting of the IP address, but actually no, the administration area is now on a subdomain of the main site. ( new information that I found a couple of days ago ), I just need to know the sub domain. Which shouldn’t be that hard to discover.

After that I went to the Google Plus Page of one of the owners of the company, and there was an announcement of one of their latest clients. From there it was just a question of time until I found the vulnerability on the server.

All this information was gathered in about 5 minutes, due to their easy access, of course that most of this information is displayed on their website, but I didn’t need to go to their site to find it, from the moment I saw the logo of that client, I knew they were in trouble, and this was one of their biggest mistakes, if they didn’t had that logo I couldn’t jump to their main client right away, I had to go trough their site first and learn what their main client was..

Let me make this clear, almost all the information that I gathered from the Youtube video is easily found trough their website, the questions is, it would just take longer.

Next, is server configuration, and now the really harsh critiques start to appear.

The first thing that a responsible programmer/network administrator does, is to disable directory listing in the Apache HTTP server, it’s one of the most basic things we web programmers learn, and this is a company that is responsible for managing the entire network of an large hotel group in Portugal.. the thing that keeps some of my mind at ease is that one of the programmers that works there is very competent ( we will get back to him later ) and that two of their IT guys are also very competent, but they can’t get to everything.

Having the directory listing enabled, I was able to access that page that wasn’t secured. All because of this simple configuration.

Next is the actual programming, a little background story first.

I started to work there in August 2005 not knowing much about PHP, I knew a lot about programming, but didn’t know that much about PHP programming, now remember this was 7 years, as the time was passing by I evolved, my programming evolved, I now take things into account, that I didn’t take in 2005, and think in a completely different way.

First ting I noticed when browsing trough the several JavaScript files that I found, was that there were a lot of querys in the middle of the file ( like I mentioned in Part 1 ).

On the first years, I had an idea to make an autocomplete ui control for our backoffice, something reusable that could be used in every script we created. It was approved by upper management, and since it was supposed to be generic, I or someone else had the brilliant idea to put the query’s in the javascript, so when we configured the autocomplete the query that was supposed to be executed would be right there. This is completely wrong. This is one of the worst ideas that I had on my entire life ( if it was mine ). No trying to excuse myself, but this was approved by upper management, that had a lot more experience than me. ( I remember having a discussion about the file that would return the ajax query’s and that file should accept only a query and all the fields that the query would return, this wasn’t my idea, I’m sure of this ).

This is one security breach that is completely intolerable. The programmer I mentioned above has already spoken to upper management in an attempt to culminate some of these security holes, but his input’s weren’t taken very seriously I guess, if they were, this holes should be already covered.

Next database access, I found that they are still using the same class that I used in 2005 ( this class was made around 2002 ), this is the same class they have been using since 2004 ( when they started the company I think ), this is a class that doesn’t use prepared statements, has no escape by default ( mysql_real_escape_string anyone?? ), nothing. When I was starting out in 2005, my scripts had a lot of errors because of this, because when someone would insert ‘ into a text field the insert/update/select the query would fail, because nothing was escaped. I guess this still happens.

They’ve completely stopped in time, they haven’t evolved at all. In some things they have evolved, they are using stored procedures for some things, which mitigates some of this points, but it surely isn’t enough, I’ve could’ve wreak havoc on “Hotels P” group, very easily. Guess what, I still can…

When I built my custom CMS, when the users tried to access a page when they weren’t logged in, I would show an HTML message, like “you have to login” or something like that, the problem is that I would only do this validation after the body tag, and that means that all my javascripts files that are embedded on the page will appear. It isn’t a security hole “per se“, but gives information about the system, and information is everything. I found out a few iterations later, and my CMS is now more secure because of this.

Theirs ins’t, I still can gain access to information I shouldn’t, specially all of those SQL query’s within the several JavaScript files.

And now, the cherry on the top of the cake..

After almost two week’s after I found out all of this, they still haven’t patched the PMS, I still can access the invoices system are you stupid or something???? And all of that personal information is right there for me to access. I bet I can find someone of worth to piss off, by just navigating on those records, maybe some guy from the portuguese government or something like that… so who want’s me to discover the subdomain, and get some embarrassing invoices?

It’s curious, I found an interview done by one of the CEO’s about his PMS ( in a news channel here in Portugal ), the application is great, it opens a lot of doors to the management of this hotel group ( pun intended ), it’s a powerful marketing tool ( and yes it his, no pun ), and one phrase that caught my eye was something like this: “Everyone one, with a browser and an internet connection, is able to access the application”…  he should have phrased it better I guess..

This is one of the reasons why PHP has such a bad name on some circles, it’s because of company’s like “this“, that give such a bad name to PHP, imagine that I was really a bad guy, a really mean one, I could’ve hacked the site, drop the price of rooms and the hotel would be in trouble. The company that makes this websites would be in trouble, if I was a really bad guy, I’ve could’ve access privilege information about the future prices of this hotel, and sell them, get the information of all their registered clients, the world could be mine! And all that was going to expire from this hacking, is that the company was using PHP. Maybe this would be the case, maybe not.. we will never know..

Finalizing, the programmer I mentioned earlier found about this trough my Facebook page, the CEO, that received my email and answered me, didn’t tell anyone about the security holes I found… if I was the CEO of this company, I would make a a big noise out of this. But instead he choose to remain silent. Which is a big mistake, since the developer’s working there won’t learn…

2012
03.09

Nice title right? Here’s the complete story..

Yesterday, I was fooling around in Google Plus and found the page of the first company I worked for, let’s call it “CommQuack“.

And on their wall ( is there even a wall in Google Plus? Doesn’t matter… ), there was a video promoting one of their products, I was curious so I watched the entire video.

Since it’s an web application, they had some popup’s, and those popup’s had the URL perfectly visible, I decided to try some of those URL’s ( don’t know why, I just tried it, call it programmers curiosity )..

I entered the complete URL on my browser, pressed Enter on my keyboard.. and bang! I’m in…

I was shocked! I just entered a restricted admin area, by copying and pasting an URL from an YouTube Video, this isn’t good I taught.. I had just gained access to the entire invoice system of the booking system, I could access any invoice that was present on the website..

Since this was the testing Web server, I thought, how about the production web server?

Went to the website of “CommQuack” main customer, tried the same URL, and I was automatically redirected to the homepage, ok.. not bad, they have some kind of IP address authentication.. and when the IP doesn’t match the whitelist, the user get’s redirected..

I started thinking, in the office they need access to the administration area, to test, debug user problem’s, and I know they have an fixed IP address, because the testing server’s are located on their office, if I can spoof the IP address of the office, maybe I can access the administration area, or maybe they have a VPN in place to access the local network of the hotel group, but the VPN would be cumbersome because every time they need to access the administration area they would have to connect to it.. it’s not practical, and trust me, they have to access a lot of times a day.. and that means that every hotel in the group had to connect trough a VPN to access the administration area, not practical indeed..

Doesn’t make a lot of sense the use of the VPN.. but since they are the managers of the IT infrastructure maybe there is a small possibility that they are using the VPN.. but at this point I’m almost sure that spoofing the IP address of the testing server would be the best bet to gain access to the administrator area..

Since it was getting late, and I had to work today, I decided not to try spoofing my IP address, it’s for another day…

I kept going on Google Plus, and found the page of the CEO of  “CommQuack“, and there it was, a post mentioning one of their latest clients the “hotel Portuguese group”, let’s call it “Hotels P“, I taught, well let’s try it on this site.

Entered the URL on my browser, pressed Enter and 404 – Page not Found… ok, they haven’t installed this product on this client, let’s try another link, and then it said I wasn’t logged in, so I couldn’t access that page. But a view page source, showed some interesting things.

When I don’t have access to an area in the backoffice, I still can see all the javascript files that are being used on that page, they call the exit() function, but they only call it after the body tag, and since the javascript is all included in the head tag, I could see every javascript file that was included, and what do javascript files have a lot this days? Ajax call’s.. more of this later on.

Continued with my investigation, and then I noticed, this page isn’t called index.php, so let’s try the folder… and bang! All the files of that folder were listed by Apache.. and I thought: “Well, look at that, I’m in again…”, navigated trough some folders, tried to access some pages, and jackpot!

Once again, I’m on one page that enables me to configure some things on the hotel rooms of every hotel of “Hotels P“, how about that? From this point onward I could make some devastating changes to the system, change the configuration of the room’s adding or removing  stuff from them.. I could cause some damage from this page, not a lot, but sufficient to cause panic ( I think )..

Continued with my investigation of the file system, and noticed a pattern, every file that was an ajax response was in a separate file, clearly identified by name and inside a single folder on every area, let’s call it “ajaxrequests” folder, checked the access to one of this files and it only returned “0”, the access is good I taught, let’s check the javascript files.. look and behold, every ajax request is right there for me to see and analyse, every parameter that is used, ready to be tested, and experimented with.

With a little time and patience, I could me making insert’s, updates and deletes on the database with no problem whatsoever.. I basically just had to figure out what has right ID’s to pass to the ajax call’s, and from the javascript files I could find them pretty easily..

On top of that, some javascript files had SQL wrote on them, something like this: “SELECT * FROM table_name“, so from that point on, I know that there is a table named “table_name” on the database and in this case, it was the room’s table, or at least it looked a lot like the main rooms table.

Even more, I noticed that they still use the same database class, since 2005 ( I think, it was when I started working there ), this database class, is the normal database php class that was made in 2002, and one thing that was missing from that specific class, was escaping the various parameters passed to the query ( and no it doesn’t use parametrized query’s ), it was very easy to forget escaping the parameters ( it happened to me a lot of times ).  Any outsider couldn’t know this, but it’s reasonable to think that, when we can access all this thing’s the query’s aren’t going to be escaped properly…

And then I ended my investigation. Started my email client, and start writing an email to “CommQuack“, notifying them of my findings, so they can protect themselves, I didn’t wreck anything, didn’t push any button on page that I accessed, nothing, I just explored the several files and reported the things I found..

What is the main problem in this, it’s the information that I gathered from the system, structure of every application installed on the client, javascript libraries used ( prototype only ), classes used ( they use Smarty templating engine for example ), the name of some tables on the database, and access to a lot of personal information.

In part 2, will come tomorrow if I have the time, I will explain how to remove all of this security holes to prevent further unrestricted access to the administration area, and how not to give all this information so easily..