lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 7 Sep 2015 16:05:04 -0400
From: Scott Arciszewski <kobrasrealm@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Just Don't Use or Trust Bullhorn

Story time, FD.

Hopefully I can save someone else from having to deal with the
frustration of dealing with Bullhorn.

March 3, 2014 - I observed that SendOuts (owned by Bullhorn) didn't
use HTTPS even though it was available, nor HSTS once someone
explicitly accessed the https://webconnect3.sendouts.com URL.

When I went to notify them on their support forums, I noticed they
were running an ancient version of phpBB. A version known to be
vulnerable to https://www.exploit-db.com/exploits/16890/ (although I
did not attempt to exploit it, because that would be reckless and
stupid).

October 23, 2014 - After months without hearing a word in response, I
decide to ping them again. This actually got the attention of their
director of support.

November 4, 2014 - After more silence, I send an email asking "Am I
clear to make a post my findings on the Full Disclosure mailing list
without fear of retributive criminal charges?"

Immediately, I get an email from "Andrew Smith | Director, Technical
Operations & Security". The conversation goes like this:

Andrew:

> I was hoping to connect with you on having your concerns addressed, C**** mentioned that these issues are currently scheduled to be fixed, what else can we do to help to resolve any of these matters.

Me:

> No additional concerns; I was wondering when it would be safe to publicly disclose the concerns I sent to C**** in March.
>
> Namely:
> * Lack of HSTS and/or HTTP->HTTPS rewriting (ever heard of sslstrip?)
> * Outdated phpBB as demonstrated here: http://supportforums.bullhorn.com/docs/ which has this vulnerability: http://www.exploit-db.com/exploits/16890/

Andrew:

> I would like to understand your goals in doing that? Security is a major concern for us, but as you know, one that is a constant fight to keep current, for any software provider, with exploits and issues as they arise. As issues arise, they are prioritized, fixed and deployed. These issues have been prioritized and will be deployed  as soon as is possible.
>
> I don't understand your motivation for publicly posting these issues, are you working with any of our clients at present?

And then I explained the history of full disclosure as it relates to
the security industry (really boring), and he said this:

> Thanks for the details, Scott. Yes, we of course use industry standard processes for accepting, resolving and notifying all of our clients of bugs, both application and security. The worry I have is that, this information is delivered by us, the provider, with full explanations of the issues, to the clients themselves via bug and issue tracking systems, not via public forums.
>
> Our public forums are a place where our developers and users can gain information for using and extending our application, to post bug and security fixes there would be misusing the goals of that system.
>
> Thank you for letting us know about the issues and we appreciate your concern.

Finally, they agreed that fixing it is a priority and that Andrew
Smith would let me know when it's fixed so that I could go public
without fear of causing any damage to Bullhorn or its customers.

Epilogue: They updated their phpBB on November 26, 2014, but never
said a word. Liars.

The lessons here?

1. Bullhorn's director of security doesn't understand security.
2. They're a pain in the ass to deal with. If you're looking to help a
company with their security, Bullhorn is a bad choice due to the
personalities involved.
3. Never trust Bullhorn with sensitive information (SSNs, etc.).

I hope that, by sharing this, I saved someone else from a headache or two.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ