lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <453D3066.8070705@gatech.edu>
Date: Mon, 23 Oct 2006 17:13:10 -0400
From: Matthew Flaschen <matthew.flaschen@...ech.edu>
To: full-disclosure@...ts.grok.org.uk, techsupport@...pub.com
Subject: Comment Service

I don't know whether anyone here uses this software, but I wanted to
report  this somewhere.  The software in question is a subscription web
service called Comment, run by Bedford St. Martins (a publisher).  The
main site  is at http://comment.bedfordstmartins.com/ .  The only
version I have used or tested is
http://comment.bedfordstmartins.com/CommentSMHandbook5e/ , but I suspect
that the vulnerabilities extend across all the other versions.

The site is designed to allow instructors to create private virtual
classes, to which students can upload documents.  The defining feature
(obviously) is that the site allows students and professors to comment
(annotate) each other's papers.  There are no problems with this
functionality.

However, the site design is fundamentally flawed from a security point
of view.  The first problem is found is that through a manipulation of
the url, it is possible to view arbitrary documents, regardless of
whether you are in the uploader's class.

The original document URLs are in form:

http://comment.bedfordstmartins.com/CommentSMHandbook5e/pages/docView.asp?doc=999&a=998&DCID=997

Each parameter (doc, a, DCID) would be a different natural number.  I
believe doc refers to the assignment the document is intended for, a to
the author, and DCID to the actual document id.

These are used in links from the main document listing.

Substituting an arbitrary DCID allows you to view that document,
unconditionally.  This is already a critical flaw, as the site is meant
to be segregated into private classes; this breaches the divide by
allowing the viewing of arbitrary documents from other classes.  The
other parameter of interest is "a".  This refers to the author (or
uploader) of the document.  When an author views their own document,
they can see all comments (and it says "your document" in the print
view), even if they are private.  However, the only criteria for
document ownership here is the "a" parameter.  So, for best results when
viewing others' documents, use your own "a" parameter.  Now, all
comments on all documents are available.  This also means the emails of
the uploader, and all commenters are available; they are in plain text
in the source despite the fact that the web site sends the emails using
a server-side script.

Thus, we have full read access to the site.  The question now becomes to
what extent write access is possible.  It turns out this is also
unlimited.  Comments can be added on most documents the normal way
(clicking on a word or paragraph mark).  However, for the instructor
documents, commenting by students is prohibited.  In these cases, open
the actual document frame (bottom left) separately.  Then, simply type
javascript:addWinOpen(5, "word") into the address bar.  5 is the natural
number corresponding the word you wish to comment (in order).  "word"
can be replaced by "para" to comment paragraphs instead.  This will open
a window for editing, as the system would for ordinary comments.

Editing an arbitrary comment is a bit trickier.  There is a function
editWinOpen(5, "word") (same parameter forms).  However, it only works
for your own comments; I do not think this is deliberate security.
Rather, they just assume you are editing your own comment, can't find
one, so start a new one (if you attempt to save this, it will give an
error).  So, create a new comment (using the method above if the
document is locked).  Then, edit this one.  An edit link will be
available unless the comment was created on a locked page (in this case
use editWinOpen, which will work for your own comments).  Once you have
your own comment open for editing, open Firefox's DOM inspector (or
similar).  Search for name=cmtID .  This is the only data the script
uses to determine what comment to operate on.  Luckily, there is an easy
way to get the cmtID for an arbitrary comment.  It's in the email link
next to each comment.  They are in the form:

javascript:popwin(pageURL('emailCmt')+'?cmtID=999',620,435);

Simply copy that cmtID out and paste it into DOM inspector.  Then, copy
the original comment text from the page, make desired modifications,
then click save comment.  The same goes for deletion.

Thus, there is arbitrary read-write for comments.  What can be done with
others' documents?  It turns out it is possible to do everything you can
do with your own uploaded documents.  The reason is simple.  In the main
document listing, there are checkboxes next to your documents, and a
menu with choices of actions.  However, the checkboxes use the same
DCIDs noted earlier.  The values are in form:

DCID|FILENAME|doc

Again, only DCID matters.  It can be changed to any arbitrary DCID; the
other text (after the | ) is ignored.  Then, the menu (Copy, show/hide,
delete), all applies to the document corresponding to the DCID.  Thus,
it is possible to hide and/or delete an arbitrary document.  There is
thus unlimited read/write access for the whole supposedly private site.

Note: The original problem (arbitrary read access) was disclosed 1 week
ago to their tech support by email.  They have replied with nothing but
an Autoresponse.  I made a follow-up call and was told they would deal
only with an instructor (even though I have documents and comments
uploaded, and paid for access).  Thus, I am fully disclosing here.

Matthew Flaschen


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ