[<prev] [next>] [day] [month] [year] [list]
Message-ID: <509AF46A.5000009@klondike.es>
Date: Thu, 08 Nov 2012 00:53:14 +0100
From: klondike <klondike@...ndike.es>
To: full-disclosure@...ts.grok.org.uk
Subject: When those who say to represent computing/IT
students have serious security vulnerabilities? (XSS and data disclosure on
http://ritsi.org )
This full disclosure is made mainly to protest against how the politics
work between the Spanish computing and IT student councils. If you just
don't give a fuck the issues are lower.
The political reasons:
Turn out this year the RITSI is supposed to get 20 years old, also turns
out they seem to be as closed as always. Their assembly system works
with representatives sent by the different unions all around Spain, but,
it turns out that the fact there is no voice but no vote (or even no
voice nor vote) positions (at least not public ones) for any
computing/IT student willing to pay the fees by himself results in said
unions being able to act as a filter of the minorities (i.e. groups not
affine with the current head representative interests) from their
university present in the assembly, in theory this shouldn't lead to
much more than yet another "democratic" system, but it turns out that
the workgroups (i.e. groups of people that do things) tend to be chosen
amongst the people present in the assembly, and this what brings us to
this nice disclosures here, the workgroup responsible for the web is
also chosen in this way which is what lead to such a security faulty
site in the first place.
Since they should be having one of these "democratic" assemblies by the
time we are speaking it's now up to them to choose, whether they want to
be open to minorities and thus get the best of the people willing to
work and fight for his companions in their workgroups or just keep
themselves as closed as they are whilst they give out the impression
people going to these assemblies does so mostly so they can party at
nights whilst they are there.
The issues:
First it is possible to inject arbitrary XSS with a properly crafted
POST query to http://ritsi.org/asambleas/xxxvii/contactar/ in there
when an incorrect request is sent most of the data is reproduced
verbatim, for example by pasting the below vector in the e-mail field
the issue can be tested.
Attack vector:
"/><script>alert('RITSI SUCKS!')</script><img aaa="
Also if you have an e-mail Database you can easily check which of those
e-mails are in there by using the
http://ritsi.org/asambleas/inscripcion/guard/forgot_password formulary,
for this just write an e-mail and check the answer given since when an
e-mail is present in the DB it is different from when it isn't, to make
things more funny the requests can be automated. And well I shouldn't be
the one speaking but affiliation with a Student Union is considered a
political personal information so I doubt the AEPD (spanish data
protection agency) will like this much xD
And well, I'm quite sure there are probably more serious one but it
should be their web workgroup task to do a propper audit, since after
all I was just one of those people from a silenced minority that even if
willing wasn't able to help them detect and fix these issues.
klondike
Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists