home‎ > ‎

secured [SECurity CURED] ;)

"Security is just followed, it's never achieved."

[] XSS-Patch with PoC

posted Sep 13, 2010, 8:27 AM by Abhishek Kumar

[] hrberry.com {self-invited DoS, server info}

posted Aug 12, 2010, 7:48 AM by Abhishek Kumar   [ updated Aug 26, 2010, 4:46 PM ]

[]Found By:
ABK, Command-Line, Burp Proxy and a Foxy Browser

[]Patched:

Yes

[]Vulnerability type:
Unhandled GET Request, and Flawed Cryptography Library 

[]Platform/OS/Version:
Web Application (PHP-based) for Payroll system, used CodeIgniter Framework

[]Vuln Summary:
There were validation flaws for GET Request Parameters sent to CAPTCHA image generating PHP script on the Portal.
This allowed attacker to trick the app to generate any number of characters consuming processing power.
It had a timout after 30 seconds (too much) and generated error message with full PATH of PHP file.
Also worked on older un-patched version of OpenSSL.

[]Vuln Description:
[vuln#1]
if you failed login once, next login comes along-with CAPTCHA,
the related PHP Script is
https://www.hrberry.com/system/application/views/createsecurityimages.php?l=7
With some http request say
https://www.hrberry.com/system/application/views/createsecurityimages.php?l=7777777777
it don't check for any upper-limit for value of 'l'; just ask them to place a condition check in script for this because even this consumes 30 seconds per request, thats a long time from Processing Perspective and several such requests could be used to launch an easy self-invited DoS.
[vuln#2]
somewhat way larger 30 sec timeout also gives an un-managed error status with complete resource path shown as
 /var/www/web4/web/system/application/views/...
now this structure tells its most probably Apache2 over Debian/Ubuntu {not 100% but best guess}
just ask them to replace default error message with custom error messages.
[vuln#3]
Mozilla's Error Console says its vulnerable/non-compliant for { CVE-2009-3500 RFC 5746 }
This non-compliant structure could let an attacker could feed in malicious data within your session.
that suggests its using older/unpatched version of OpenSSL (your cryptography library)
This will require you to patch/update OpenSSL package on your Web Server to latest version, for OpenSSL latest release was in Mar'2010 as version 1.0.0
[vuln#4]
 Some http-anomaly tests reveal that its based over 'CodeIgniter' PHP Framework

[]Steps to Reproduce:
already patched, so can't be reproduced on the same portal

[]Product Name:
http://www.hrberry.com
Payroll Helpdesk, serving several prestigious companies

[]Victim Name:
Ascent Consulting Services Pvt. Ltd.
[http://ascent-online.com]

[]Victim URL
http://www.hrberry.com

[]Victim Country:
India

[]Victim Notified:
Yes.
I've received the notification of it being patched on 12-August-2010.

1-2 of 2