2012
03.21

Finally, here it is the second part…

First, I’ll explain to what I’ve gained access.

On the testing server I gained access to the PMS – Property Management System. On the production server I’ve gained access to the booking system of  “Hotels P” group.

There were a lot of factors that allowed me to gain access to the restricted areas, the most important one was definitely information gathered from viewing the Youtube Video. This was actually the key point in all of this..

Let’s start by talking about the information I gathered from watching the video.

On the YouTube video, I saw several URL’s being displayed, the domain that these URL’s were on, was clearly a testing server of some kind, since it was a numbered sub domain of the company main domain, something like w4.maindomain.pt. And since I used to work there, I knew instantly that this was the testing server.

In the YouTube video, one of the Invoices that is showed, shows clearly the logo of one of their clients. Now I have the knowledge that this client almost certainly has this application installed ( speculation off course, but I have this information ).

After knowing this, I decided to go to that client site, I couldn’t enter because it kept on redirecting to the homepage, I thought it was redirecting based on some kind of whitelisting of the IP address, but actually no, the administration area is now on a subdomain of the main site. ( new information that I found a couple of days ago ), I just need to know the sub domain. Which shouldn’t be that hard to discover.

After that I went to the Google Plus Page of one of the owners of the company, and there was an announcement of one of their latest clients. From there it was just a question of time until I found the vulnerability on the server.

All this information was gathered in about 5 minutes, due to their easy access, of course that most of this information is displayed on their website, but I didn’t need to go to their site to find it, from the moment I saw the logo of that client, I knew they were in trouble, and this was one of their biggest mistakes, if they didn’t had that logo I couldn’t jump to their main client right away, I had to go trough their site first and learn what their main client was..

Let me make this clear, almost all the information that I gathered from the Youtube video is easily found trough their website, the questions is, it would just take longer.

Next, is server configuration, and now the really harsh critiques start to appear.

The first thing that a responsible programmer/network administrator does, is to disable directory listing in the Apache HTTP server, it’s one of the most basic things we web programmers learn, and this is a company that is responsible for managing the entire network of an large hotel group in Portugal.. the thing that keeps some of my mind at ease is that one of the programmers that works there is very competent ( we will get back to him later ) and that two of their IT guys are also very competent, but they can’t get to everything.

Having the directory listing enabled, I was able to access that page that wasn’t secured. All because of this simple configuration.

Next is the actual programming, a little background story first.

I started to work there in August 2005 not knowing much about PHP, I knew a lot about programming, but didn’t know that much about PHP programming, now remember this was 7 years, as the time was passing by I evolved, my programming evolved, I now take things into account, that I didn’t take in 2005, and think in a completely different way.

First ting I noticed when browsing trough the several JavaScript files that I found, was that there were a lot of querys in the middle of the file ( like I mentioned in Part 1 ).

On the first years, I had an idea to make an autocomplete ui control for our backoffice, something reusable that could be used in every script we created. It was approved by upper management, and since it was supposed to be generic, I or someone else had the brilliant idea to put the query’s in the javascript, so when we configured the autocomplete the query that was supposed to be executed would be right there. This is completely wrong. This is one of the worst ideas that I had on my entire life ( if it was mine ). No trying to excuse myself, but this was approved by upper management, that had a lot more experience than me. ( I remember having a discussion about the file that would return the ajax query’s and that file should accept only a query and all the fields that the query would return, this wasn’t my idea, I’m sure of this ).

This is one security breach that is completely intolerable. The programmer I mentioned above has already spoken to upper management in an attempt to culminate some of these security holes, but his input’s weren’t taken very seriously I guess, if they were, this holes should be already covered.

Next database access, I found that they are still using the same class that I used in 2005 ( this class was made around 2002 ), this is the same class they have been using since 2004 ( when they started the company I think ), this is a class that doesn’t use prepared statements, has no escape by default ( mysql_real_escape_string anyone?? ), nothing. When I was starting out in 2005, my scripts had a lot of errors because of this, because when someone would insert ‘ into a text field the insert/update/select the query would fail, because nothing was escaped. I guess this still happens.

They’ve completely stopped in time, they haven’t evolved at all. In some things they have evolved, they are using stored procedures for some things, which mitigates some of this points, but it surely isn’t enough, I’ve could’ve wreak havoc on “Hotels P” group, very easily. Guess what, I still can…

When I built my custom CMS, when the users tried to access a page when they weren’t logged in, I would show an HTML message, like “you have to login” or something like that, the problem is that I would only do this validation after the body tag, and that means that all my javascripts files that are embedded on the page will appear. It isn’t a security hole “per se“, but gives information about the system, and information is everything. I found out a few iterations later, and my CMS is now more secure because of this.

Theirs ins’t, I still can gain access to information I shouldn’t, specially all of those SQL query’s within the several JavaScript files.

And now, the cherry on the top of the cake..

After almost two week’s after I found out all of this, they still haven’t patched the PMS, I still can access the invoices system are you stupid or something???? And all of that personal information is right there for me to access. I bet I can find someone of worth to piss off, by just navigating on those records, maybe some guy from the portuguese government or something like that… so who want’s me to discover the subdomain, and get some embarrassing invoices?

It’s curious, I found an interview done by one of the CEO’s about his PMS ( in a news channel here in Portugal ), the application is great, it opens a lot of doors to the management of this hotel group ( pun intended ), it’s a powerful marketing tool ( and yes it his, no pun ), and one phrase that caught my eye was something like this: “Everyone one, with a browser and an internet connection, is able to access the application”…  he should have phrased it better I guess..

This is one of the reasons why PHP has such a bad name on some circles, it’s because of company’s like “this“, that give such a bad name to PHP, imagine that I was really a bad guy, a really mean one, I could’ve hacked the site, drop the price of rooms and the hotel would be in trouble. The company that makes this websites would be in trouble, if I was a really bad guy, I’ve could’ve access privilege information about the future prices of this hotel, and sell them, get the information of all their registered clients, the world could be mine! And all that was going to expire from this hacking, is that the company was using PHP. Maybe this would be the case, maybe not.. we will never know..

Finalizing, the programmer I mentioned earlier found about this trough my Facebook page, the CEO, that received my email and answered me, didn’t tell anyone about the security holes I found… if I was the CEO of this company, I would make a a big noise out of this. But instead he choose to remain silent. Which is a big mistake, since the developer’s working there won’t learn…

No Comment.

Add Your Comment