lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAExQ7uKQbeNu9FJo7w-JVOXdine2xwuYDpmHKhjorxR7a2pDOw@mail.gmail.com>
Date: Fri, 5 Jul 2013 03:05:17 -0500
From: adam <adam@...sy.net>
To: xnite@...te.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: eResourcePlanner Authentication Bypass/SQL
	Injection

Just as a note, you can also use their normal domain instead of rp4me.com.
i.e. jetblue.eresourceplanner.com works in addition to jetblue.rp4me.com.

Do you know if the passwords are hashed/salted in the database? Or are they
all plaintext? This looks like it could become huge overnight. Especially
since hsn.eresourceplanner.com was one of the first subdomains I saw (it
has to be home shopping network, right?).

cough cough
http://www.google.com/#q=%22If+you+experience+any+issues+accessing+your+eResourcePlanner+Tools%22+%5Bsite:rp4me.com%7Csite:eresourceplanner.com%5D&filter=0&num=100

Also, it appears to be every page (FirstTimeLogin.asp,
Forgot.asp, PasswordRetrieval.asp) and not just the main login.asp file.

You're right though, hopefully this gets their attention.

On Fri, Jul 5, 2013 at 1:26 AM, <xnite@...te.org> wrote:

> I have been trying to contact the ERP company for the past year with a bug
> which could affect dozens of companies including cell phone providers, call
> centers, and more.
> eResourcePlanner provides resource planning software to companies, which
> are hosted on their own subdomain "rp4me.com".
> The SQL injection was stumbled upon during a legitimate login attempt in
> which I received an SQL error by accidentally typing an ' into my password.
> With minimal research it was not difficult to find that the username table
> on the MySQL database was "userid".
> Any client could simply put the following string (replacing username with
> their actual username or a portion of a username) into the username portion
> of the login field, and be logged in from that point as any user they would
> like.
> The string is on it's own line as follows:
> a' OR userid like '%username%' OR 'a
> Given that the username, or first match of the string given in the like
> statement matches an active account, you will be logged in now as that user.
>
> Other more minor security issues that I would like to point out are seen
> within an actual SQL error which looks like the following:
> [MySQL][ODBC 5.1 Driver][mysqld-5.5.9-log]You have an error in your SQL
> syntax; check the manual that corresponds to your MySQL server version for
> the right syntax to use near '''' AND lcase(Password) = ''' at line 1
>
> Things that need to pointed out here are listed below:
> * A production machine should never be displaying the contents of an SQL
> error, this is a primary way an attacker may discover a vulnerability.
> * lcase(Password) shows us that no matter what password is given, it is
> converted to lower-case lettering anyway, disallowing what might be
> considered a "strong password". This makes brute-forcing passwords much
> easier.
> * The error string displays the version of the MySQL Server Daemon, which
> could be used to find other potential vulnerabilities to compromise the
> daemon.
> * MySQL Server Daemon is out of date, 5.5.9 was released February of 2011.
>
> FOR THE RECORD:
> I have not used this vulnerability with any malicious intent, and
> everything I touched was perfectly legal/ethical. I used this to login to
> only my account, and those of which I had permission to do so. I have tried
> to go the safe route for over a year and disclose this privately with the
> company providing the software (eresourceplanner.com) with no response
> back, and I have decided at this point that it's better to make it public
> and hope that it will be fixed, than to keep it private while those with
> malicious intent may already be a ghost in the system.
>
> *---*
> *R. Whitney - **Independent IT Consultant*
> *Phone:  **(347)674-4835*
> *Postal:** PO Box 5984, Bloomington, IL 61702-5984*
> *Other: **My Blog <http://xnite.org> / LinkedIn<http://www.linkedin.com/in/whitneyr> /
> Twitter <http://twitter.com/xnite>*
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ