[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <fd9042c.2afffdf6be740eb4318192adbb51a083@slender.xnite.org>
Date: Fri, 5 Jul 2013 11:52:10 +0000
From: xnite@...te.org
To: full-disclosure@...ts.grok.org.uk
Subject: Re: eResourcePlanner Authentication Bypass/SQL
Injection
You are absolutely correct, I did leave out the fact that it is quite
obvious passwords are not hashed in the database, otherwise the lcase would
be useless, and they might instead be using the md5 or sha1 function
instead. So that is once again another minor security issue which is
included in this nasty group of bugs.
It's honestly hard to believe that companies would use this vendor at all
considering that there are so many other great options out there
*cough*google apps provides erp*cough*.
I do appreciate you raising that concern Adam.
Yet another flaw is that the pages *should* include a noindex/nofollow tag
to be sure that these pages are NOT indexed. These pages should remain
known to only those who *need* to know about them (ie- the people who work
at these companies).
---
R. Whitney - Independent IT ConsultantPhone: (347)674-4835
Postal: PO Box 5984, Bloomington, IL 61702-5984
Other: My Blog (http://xnite.org) / LinkedIn
(http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite)
---- Original Message ----
From: adam
To: xnite@...te.org
Cc: full-disclosure@...ts.grok.org.uk
Sent: Fri, Jul 5, 2013, 3:05 AM
Subject: Re: [Full-disclosure] eResourcePlanner Authentication Bypass/SQL
Injection
Just as a note, you can also use their normal domain instead of rp4me.com
(http://rp4me.com). i.e. jetblue.eresourceplanner.com
(http://jetblue.eresourceplanner.com) works in addition to
jetblue.rp4me.com (http://jetblue.rp4me.com).
Do you know if the passwords are hashed/salted in the database? Or are they
all plaintext? This looks like it could become huge overnight. Especially
since hsn.eresourceplanner.com (http://hsn.eresourceplanner.com) was one of
the first subdomains I saw (it has to be home shopping network, right?).
cough cough
http://www.google.com/#q=%22If+you+experience+any+issues+accessing+your+eResourcePlanner+Tools%22+%5Bsite:rp4me.com%7Csite:eresourceplanner.com%5D&filter=0&num=100
(http://www.google.com/#q=%22If+you+experience+any+issues+accessing+your+eResourcePlanner+Tools%22+%5Bsite:rp4me.com%7Csite:eresourceplanner.com%5D&filter=0&num=100)
Also, it appears to be every page (FirstTimeLogin.asp, Forgot.asp,
PasswordRetrieval.asp) and not just the main login.asp file.
You're right though, hopefully this gets their attention.
On Fri, Jul 5, 2013 at 1:26 AM, wrote:
I have been trying to contact the ERP company for the past year with a bug
which could affect dozens of companies including cell phone providers, call
centers, and more.
eResourcePlanner provides resource planning software to companies, which
are hosted on their own subdomain "rp4me.com (http://rp4me.com)".
The SQL injection was stumbled upon during a legitimate login attempt in
which I received an SQL error by accidentally typing an ' into my password.
With minimal research it was not difficult to find that the username table
on the MySQL database was "userid".
Any client could simply put the following string (replacing username with
their actual username or a portion of a username) into the username portion
of the login field, and be logged in from that point as any user they would
like.
The string is on it's own line as follows:
a' OR userid like '%username%' OR 'a
Given that the username, or first match of the string given in the like
statement matches an active account, you will be logged in now as that
user.
Other more minor security issues that I would like to point out are seen
within an actual SQL error which looks like the following:
[MySQL][ODBC 5.1 Driver][mysqld-5.5.9-log]You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near '''' AND lcase(Password) = ''' at line 1
Things that need to pointed out here are listed below:
* A production machine should never be displaying the contents of an SQL
error, this is a primary way an attacker may discover a vulnerability.
* lcase(Password) shows us that no matter what password is given, it is
converted to lower-case lettering anyway, disallowing what might be
considered a "strong password". This makes brute-forcing passwords much
easier.
* The error string displays the version of the MySQL Server Daemon, which
could be used to find other potential vulnerabilities to compromise the
daemon.
* MySQL Server Daemon is out of date, 5.5.9 was released February of 2011.
FOR THE RECORD:
I have not used this vulnerability with any malicious intent, and
everything I touched was perfectly legal/ethical. I used this to login to
only my account, and those of which I had permission to do so. I have tried
to go the safe route for over a year and disclose this privately with the
company providing the software (eresourceplanner.com
(http://eresourceplanner.com)) with no response back, and I have decided at
this point that it's better to make it public and hope that it will be
fixed, than to keep it private while those with malicious intent may
already be a ghost in the system.
---
R. Whitney - Independent IT Consultant Phone: (347)674-4835
(tel:%28347%29674-4835)
Postal: PO Box 5984, Bloomington, IL 61702-5984
Other: My Blog (http://xnite.org) / LinkedIn
(http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
(http://lists.grok.org.uk/full-disclosure-charter.html)
Hosted and sponsored by Secunia - http://secunia.com/
(http://secunia.com/)
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists