| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Jul 2013 09:00:01 -0500
From: adam <adam@...sy.net>
To: xnite@...te.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: eResourcePlanner Authentication Bypass/SQL
Injection
<rant>
Personally, I always tend to wonder how things like this come to be (like
specifically, for this particular case). The developer, was he stupid or
just lazy? Maybe he felt that they mistreated him and he did it
intentionally? Or I guess just as likely, the code could be extremely old,
when people were (somehow) even less security minded.
It doesn't really surprise me, but always always amazes me, how so many
people approach security as an after thought. It's like buying a brand new
house without the front door. Sure, it's great, looks awesome and will
serve your purpose - but you paid money for it to do that. Meanwhile,
everyone else gets to not only come in for free and use what you paid for,
they also get to take anything that their heart desires (and bonus: if
you're sleeping like a *log*, you'll never know). I've even seen people
install firewalls to try to secure their code. That's like installing an
alarm on the house mentioned above. Sure, if someone breaks a window -
you'll know. But why bother when they can just use the front door?
I've seen how easily (and unfortunately often) it can (and does) happen. A
good example isn't laziness or malice, but cheapness. I've run into more
people on freelancing sites than I'd like to admit who share the same
values as one another: it's cheaper to have something fixed than it is to
have it created. So they post a project that really should have a budget of
a few grand for $30 or $50. Just as you'd expect, they get an
inexperienced/careless developer most of the time who hacks together what
appears to be what they want. They pay, developer disappears, and they end
up with a really shitty product. In their minds though, that's not a
problem. Because now they can turn around and post the project for a few
hundred, hint that it's already been created and just needs a minor fix,
and can hire someone who's actually qualified to fix it. The first
developer doesn't care about the product and the second isn't being paid
nearly enough to worry about "extras" like security (especially when he
realizes he's been tricked and most of it needs to be rewritten - at which
point, not sanitizing input may become intentional).
So in the end, the buyer saves a little bit of money for a little while.
His customers, though, aren't so lucky. The same holds true here,
especially because: in addition to the issues you've already raised:</rant>
1) Information disclosure by accessing a nonexistent files:
http://hsn.eresourceplanner.com/fake.asp
2) XSS on two different pages:
Login.asp?UserID="><script>alert(12345);</script><a
And what appears to be several other issues.
On Fri, Jul 5, 2013 at 6:52 AM, <xnite@...te.org> wrote:
> You are absolutely correct, I did leave out the fact that it is quite
> obvious passwords are not hashed in the database, otherwise the lcase would
> be useless, and they might instead be using the md5 or sha1 function
> instead. So that is once again another minor security issue which is
> included in this nasty group of bugs.
> It's honestly hard to believe that companies would use this vendor at all
> considering that there are so many other great options out there
> *cough*google apps provides erp*cough*.
> I do appreciate you raising that concern Adam.
>
> Yet another flaw is that the pages *should* include a noindex/nofollow tag
> to be sure that these pages are NOT indexed. These pages should remain
> known to only those who *need* to know about them (ie- the people who work
> at these companies).
>
> *---*
> *R. Whitney - **Independent IT Consultant*
> *Phone: **(347)674-4835*
> *Postal:** PO Box 5984, Bloomington, IL 61702-5984*
> *Other: **My Blog <http://xnite.org> / LinkedIn<http://www.linkedin.com/in/whitneyr> /
> Twitter <http://twitter.com/xnite>*
>
> ---- Original Message ----
> *From*: adam <adam@...sy.net>
> *To*: xnite@...te.org
> *Cc*: full-disclosure@...ts.grok.org.uk
> *Sent*: Fri, Jul 5, 2013, 3:05 AM
> *Subject*: Re: [Full-disclosure] eResourcePlanner Authentication
> Bypass/SQL Injection
>
> Just as a note, you can also use their normal domain instead of rp4me.com.
> i.e. jetblue.eresourceplanner.com works in addition to jetblue.rp4me.com.
>
> Do you know if the passwords are hashed/salted in the database? Or are
> they all plaintext? This looks like it could become huge overnight.
> Especially since hsn.eresourceplanner.com was one of the first subdomains
> I saw (it has to be home shopping network, right?).
>
> cough cough
> http://www.google.com/#q=%22If+you+experience+any+issues+accessing+your+eResourcePlanner+Tools%22+%5Bsite:rp4me.com%7Csite:eresourceplanner.com%5D&filter=0&num=100
>
> Also, it appears to be every page (FirstTimeLogin.asp,
> Forgot.asp, PasswordRetrieval.asp) and not just the main login.asp file.
>
> You're right though, hopefully this gets their attention.
>
> On Fri, Jul 5, 2013 at 1:26 AM, <xnite@...te.org> wrote:
>
>> I have been trying to contact the ERP company for the past year with a
>> bug which could affect dozens of companies including cell phone providers,
>> call centers, and more.
>> eResourcePlanner provides resource planning software to companies, which
>> are hosted on their own subdomain "rp4me.com".
>> The SQL injection was stumbled upon during a legitimate login attempt in
>> which I received an SQL error by accidentally typing an ' into my password.
>> With minimal research it was not difficult to find that the username table
>> on the MySQL database was "userid".
>> Any client could simply put the following string (replacing username with
>> their actual username or a portion of a username) into the username portion
>> of the login field, and be logged in from that point as any user they would
>> like.
>> The string is on it's own line as follows:
>> a' OR userid like '%username%' OR 'a
>> Given that the username, or first match of the string given in the like
>> statement matches an active account, you will be logged in now as that user.
>>
>> Other more minor security issues that I would like to point out are seen
>> within an actual SQL error which looks like the following:
>> [MySQL][ODBC 5.1 Driver][mysqld-5.5.9-log]You have an error in your SQL
>> syntax; check the manual that corresponds to your MySQL server version for
>> the right syntax to use near '''' AND lcase(Password) = ''' at line 1
>>
>> Things that need to pointed out here are listed below:
>> * A production machine should never be displaying the contents of an SQL
>> error, this is a primary way an attacker may discover a vulnerability.
>> * lcase(Password) shows us that no matter what password is given, it is
>> converted to lower-case lettering anyway, disallowing what might be
>> considered a "strong password". This makes brute-forcing passwords much
>> easier.
>> * The error string displays the version of the MySQL Server Daemon, which
>> could be used to find other potential vulnerabilities to compromise the
>> daemon.
>> * MySQL Server Daemon is out of date, 5.5.9 was released February of 2011.
>>
>> FOR THE RECORD:
>> I have not used this vulnerability with any malicious intent, and
>> everything I touched was perfectly legal/ethical. I used this to login to
>> only my account, and those of which I had permission to do so. I have tried
>> to go the safe route for over a year and disclose this privately with the
>> company providing the software (eresourceplanner.com) with no response
>> back, and I have decided at this point that it's better to make it public
>> and hope that it will be fixed, than to keep it private while those with
>> malicious intent may already be a ghost in the system.
>>
>> *---*
>> *R. Whitney - **Independent IT Consultant*
>> *Phone: **(347)674-4835*
>> *Postal:** PO Box 5984, Bloomington, IL 61702-5984*
>> *Other: **My Blog <http://xnite.org> / LinkedIn<http://www.linkedin.com/in/whitneyr> /
>> Twitter <http://twitter.com/xnite>*
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists