Nice title right? Here’s the complete story..

Yesterday, I was fooling around in Google Plus and found the page of the first company I worked for, let’s call it “CommQuack“.

And on their wall ( is there even a wall in Google Plus? Doesn’t matter… ), there was a video promoting one of their products, I was curious so I watched the entire video.

Since it’s an web application, they had some popup’s, and those popup’s had the URL perfectly visible, I decided to try some of those URL’s ( don’t know why, I just tried it, call it programmers curiosity )..

I entered the complete URL on my browser, pressed Enter on my keyboard.. and bang! I’m in…

I was shocked! I just entered a restricted admin area, by copying and pasting an URL from an YouTube Video, this isn’t good I taught.. I had just gained access to the entire invoice system of the booking system, I could access any invoice that was present on the website..

Since this was the testing Web server, I thought, how about the production web server?

Went to the website of “CommQuack” main customer, tried the same URL, and I was automatically redirected to the homepage, ok.. not bad, they have some kind of IP address authentication.. and when the IP doesn’t match the whitelist, the user get’s redirected..

I started thinking, in the office they need access to the administration area, to test, debug user problem’s, and I know they have an fixed IP address, because the testing server’s are located on their office, if I can spoof the IP address of the office, maybe I can access the administration area, or maybe they have a VPN in place to access the local network of the hotel group, but the VPN would be cumbersome because every time they need to access the administration area they would have to connect to it.. it’s not practical, and trust me, they have to access a lot of times a day.. and that means that every hotel in the group had to connect trough a VPN to access the administration area, not practical indeed..

Doesn’t make a lot of sense the use of the VPN.. but since they are the managers of the IT infrastructure maybe there is a small possibility that they are using the VPN.. but at this point I’m almost sure that spoofing the IP address of the testing server would be the best bet to gain access to the administrator area..

Since it was getting late, and I had to work today, I decided not to try spoofing my IP address, it’s for another day…

I kept going on Google Plus, and found the page of the CEO of  “CommQuack“, and there it was, a post mentioning one of their latest clients the “hotel Portuguese group”, let’s call it “Hotels P“, I taught, well let’s try it on this site.

Entered the URL on my browser, pressed Enter and 404 – Page not Found… ok, they haven’t installed this product on this client, let’s try another link, and then it said I wasn’t logged in, so I couldn’t access that page. But a view page source, showed some interesting things.

When I don’t have access to an area in the backoffice, I still can see all the javascript files that are being used on that page, they call the exit() function, but they only call it after the body tag, and since the javascript is all included in the head tag, I could see every javascript file that was included, and what do javascript files have a lot this days? Ajax call’s.. more of this later on.

Continued with my investigation, and then I noticed, this page isn’t called index.php, so let’s try the folder… and bang! All the files of that folder were listed by Apache.. and I thought: “Well, look at that, I’m in again…”, navigated trough some folders, tried to access some pages, and jackpot!

Once again, I’m on one page that enables me to configure some things on the hotel rooms of every hotel of “Hotels P“, how about that? From this point onward I could make some devastating changes to the system, change the configuration of the room’s adding or removing  stuff from them.. I could cause some damage from this page, not a lot, but sufficient to cause panic ( I think )..

Continued with my investigation of the file system, and noticed a pattern, every file that was an ajax response was in a separate file, clearly identified by name and inside a single folder on every area, let’s call it “ajaxrequests” folder, checked the access to one of this files and it only returned “0”, the access is good I taught, let’s check the javascript files.. look and behold, every ajax request is right there for me to see and analyse, every parameter that is used, ready to be tested, and experimented with.

With a little time and patience, I could me making insert’s, updates and deletes on the database with no problem whatsoever.. I basically just had to figure out what has right ID’s to pass to the ajax call’s, and from the javascript files I could find them pretty easily..

On top of that, some javascript files had SQL wrote on them, something like this: “SELECT * FROM table_name“, so from that point on, I know that there is a table named “table_name” on the database and in this case, it was the room’s table, or at least it looked a lot like the main rooms table.

Even more, I noticed that they still use the same database class, since 2005 ( I think, it was when I started working there ), this database class, is the normal database php class that was made in 2002, and one thing that was missing from that specific class, was escaping the various parameters passed to the query ( and no it doesn’t use parametrized query’s ), it was very easy to forget escaping the parameters ( it happened to me a lot of times ).  Any outsider couldn’t know this, but it’s reasonable to think that, when we can access all this thing’s the query’s aren’t going to be escaped properly…

And then I ended my investigation. Started my email client, and start writing an email to “CommQuack“, notifying them of my findings, so they can protect themselves, I didn’t wreck anything, didn’t push any button on page that I accessed, nothing, I just explored the several files and reported the things I found..

What is the main problem in this, it’s the information that I gathered from the system, structure of every application installed on the client, javascript libraries used ( prototype only ), classes used ( they use Smarty templating engine for example ), the name of some tables on the database, and access to a lot of personal information.

In part 2, will come tomorrow if I have the time, I will explain how to remove all of this security holes to prevent further unrestricted access to the administration area, and how not to give all this information so easily..

No Comment.

Add Your Comment