78 lines
2.7 KiB
Markdown
78 lines
2.7 KiB
Markdown
# solu.pub vulnerabilities
|
|
|
|
## intro
|
|
|
|
* [persistent XSS](#XSS)
|
|
* [HTTP passing passwords in clear](#cleartext-passwords)
|
|
* [incremental IDs for users and posts](#incremental-ids)
|
|
* [last_story1.php vs. last_story.php](#last_story.php)
|
|
* [creating stories with free account](#free-account-story-creation)
|
|
|
|
## XSS
|
|
|
|
on http://soluapp.pub/legacy/legacy-chapter1.php, both are persistent:
|
|
|
|
* Legacy Title
|
|
* Chapter Title (is run 2x per page load)
|
|
|
|
POC input value: `"><script>alert('foo')</script>`
|
|
|
|
given the basic nature of this string, imagining that many of the other input fields are similarly vulnerable,
|
|
and that no XSS mitigation whatsoever is being done.
|
|
|
|
## HTTP passing cleatext passwords
|
|
|
|
i couldn't find any resources on this site that were served over SSL, and of particular concern is the email (login page)[http://soluapp.pub/signin2.html], which sends:
|
|
|
|
```
|
|
POST /php/signin.php HTTP/1.1
|
|
Host: soluapp.pub
|
|
Connection: keep-alive
|
|
Content-Length: 61
|
|
Accept: */*
|
|
Origin: http://soluapp.pub
|
|
X-Requested-With: XMLHttpRequest
|
|
User-Agent: <redacted>
|
|
Referer: http://soluapp.pub/signin2.html
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.8
|
|
Cookie: PHPSESSID=<redacted>; intercom-id-l2bhyx5c=85d1329e-1353-4c01-b4fa-e48e14c6d985; _gat=1; _ga=GA1.2.1803746552.1482791071
|
|
|
|
&Email_Address=<redacted>&Password=<redacted>
|
|
```
|
|
|
|
## incremental IDs
|
|
|
|
## last_story.php
|
|
|
|
public entrance/landing page URLs:
|
|
* http://soluapp.pub/legacy-chapter.php?id=2074 -- <user1> (randomly chosen)
|
|
* http://soluapp.pub/legacy-chapter.php?id=917 -- <user2> (free)
|
|
* http://soluapp.pub/legacy-chapter.php?id=5288 -- <user3> (paid)
|
|
|
|
public story URL:
|
|
* http://soluapp.pub/story_slide.php?userid=196&ty=I%20came%20for%20the%20winter...&key=0
|
|
|
|
private/editing pages had the following URLs:
|
|
* http://soluapp.pub/legacy/last_story1.php?userid=882&id=5288&img=bg_image7.png&key=0&ty=&chapkey=0
|
|
* http://soluapp.pub/legacy/write_legacy.php?id=5288&img=&key=&chapkey=&ty=&user=882
|
|
|
|
simply by changing the userid (or post id) and using the /legacy/ URLs, even while logged in as my user,
|
|
i am able to make unauthorized changes.
|
|
|
|
to find more users, one could simply try 0..10_000 as userid values in
|
|
|
|
## free account story creation
|
|
|
|
by visiting while signed in with a free account, these allow creation of stories:
|
|
* http://soluapp.pub/record_next.php
|
|
* http://soluapp.pub/all_chapter1_alt.php
|
|
|
|
`http://soluapp.pub/legacy/write_legacy.php?id=&img=&key=&chapkey=&ty=&user=917` leaks path information:
|
|
```
|
|
<b>Fatal error</b>: Call to a member function fetch_assoc() on a non-object in <b>/home/soluapp/public_html/legacy/write_legacy.php</b> on line <b>620</b><br />
|
|
```
|
|
|
|
---
|
|
http://soluapp.pub/audio_record.php?story_title=%22%3E%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E&audio=
|