h4ck/solu/soluapp.pub.md

solu.pub vulnerabilities

intro

• persistent XSS
• HTTP passing passwords in clear
• incremental IDs for users and posts
• last_story1.php vs. last_story.php
• creating stories with free account

XSS

on http://soluapp.pub/legacy/legacy-chapter1.php, both are persistent:

• Legacy Title
• Chapter Title (is run 2x per page load)

POC input value: "><script>alert('foo')</script>

given the basic nature of this string, imagining that many of the other input fields are similarly vulnerable, and that no XSS mitigation whatsoever is being done.

HTTP passing cleatext passwords

i couldn't find any resources on this site that were served over SSL, and of particular concern is the email (login page)[http://soluapp.pub/signin2.html], which sends:

POST /php/signin.php HTTP/1.1
Host: soluapp.pub
Connection: keep-alive
Content-Length: 61
Accept: */*
Origin: http://soluapp.pub
X-Requested-With: XMLHttpRequest
User-Agent: <redacted>
Referer: http://soluapp.pub/signin2.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=<redacted>; intercom-id-l2bhyx5c=85d1329e-1353-4c01-b4fa-e48e14c6d985; _gat=1; _ga=GA1.2.1803746552.1482791071

&Email_Address=<redacted>&Password=<redacted>

incremental IDs

last_story.php

public entrance/landing page URLs:

• http://soluapp.pub/legacy-chapter.php?id=2074 -- (randomly chosen)
• http://soluapp.pub/legacy-chapter.php?id=917 -- (free)
• http://soluapp.pub/legacy-chapter.php?id=5288 -- (paid)

public story URL:

• http://soluapp.pub/story_slide.php?userid=196&ty=I%20came%20for%20the%20winter...&key=0

private/editing pages had the following URLs:

• http://soluapp.pub/legacy/last_story1.php?userid=882&id=5288&img=bg_image7.png&key=0&ty=&chapkey=0
• http://soluapp.pub/legacy/write_legacy.php?id=5288&img=&key=&chapkey=&ty=&user=882

simply by changing the userid (or post id) and using the /legacy/ URLs, even while logged in as my user, i am able to make unauthorized changes.

to find more users, one could simply try 0..10_000 as userid values in

free account story creation

by visiting while signed in with a free account, these allow creation of stories:

• http://soluapp.pub/record_next.php
• http://soluapp.pub/all_chapter1_alt.php

http://soluapp.pub/legacy/write_legacy.php?id=&img=&key=&chapkey=&ty=&user=917 leaks path information:

<b>Fatal error</b>:  Call to a member function fetch_assoc() on a non-object in <b>/home/soluapp/public_html/legacy/write_legacy.php</b> on line <b>620</b><br />

---

http://soluapp.pub/audio_record.php?story_title=%22%3E%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E&audio=