BAM Vulnerabilities

Posted on December 4, 2008 by Chris

BAM is a company that provides services to Students Unions around the country primarily dealing with union websites. My Students’ Guild signed up with them last year to provide our website, from the off I was quite opposed to the move anticipating it would turn into a complete joke which, naturally, it has. BAM uses their own proprietary in house developed content management system, from the outside it looks bloody awful and I am reliably informed that the administration side of things is worse. Last month a meeting was held to discuss the Guild website and what was wrong with it, the general consensus was — everything. Pushed on by this I decided to take a poke around and see if I could find any vulnerabilities, I didn’t have to look hard, it only took me 10 minutes to find the first. I found two more before I decided I would stop in case I scared myself senseless.

The vulnerabilities I found:

  1. Non-persistent XSS in search
  2. Persistent XSS in user “My details” (only affected the currently logged in user)
  3. Persistent XSS in news comments

There was absolutely no input filtering at all on strings, which were just blindly echoed back to the client. I sent an e-mail to BAM regarding my finds and to be quite honest I was extremely surprised I got a reply within 24 hours. I proceeded the send more details once I knew I wasn’t conversing with the receptionist in their Swansea offices. I hoped they would have some clue with what they were doing after I pointed the issues out (misplaced confidence that was). They replied telling me the issues were fixed, I went ahead to test. Indeed they had fixed the problems using strip_tags() which is not the best solution to the problem, and it can also cause other problems. It also will not deal with attackers breaking out of attributes to add their own. I advised them they should be using htmlspecialchars() to escape strings taken from user input, which they seem to have done now. Their reply to this e-mail seems to have vanished into some sort of Internet oblivion, I’ve asked them to resend it. It has now been added below.

From: Richard Moseley <rm@[removed]>
To: chris+sumarketing.co.uk@[removed]
Date: Thu, 13 Nov 2008 09:49:57 +0000

Hi Chris,

I would be interested in hearing what security vulnerabilities you
have found in the web platform, so that we can further investigate
these problems.

I look forward to hearing from you.

Many thanks

Richard Moseley
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential and
may be legally privileged. If you are not the intended recipient's),
you must not read, use, distribute or disseminate this email or the
information in it save to the intended recipient's) nor take any
action in reliance on it. If you receive this email or any attachments
in error, please notify us immediately by email or by telephoning 0845
1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or any
attachments.this email or any attachments.

>
>
> From: hello@[removed] [mailto:hello@[removed]]
> Sent: 13 November 2008 00:01
> To: rh@[removed]
> Subject: Comments From -
> Importance: High
>
>
> BAM
> 2nd Floor
> 8 Castle Square
> Swansea
> SA1 1DW
>
> Tel: 0845 1300667  Fax: 0845 1300668  Email: hello@[removed]
>
> |
>
> This message was sent via the contact form on www.sumarketing.co.uk
>
> Name: Chris Smith
>
> Company: -
>
> Telephone: -
>
> Email: chris+sumarketing.co.uk@[removed]
>
> Comments: I have found several security vulnerabilities in your
> websites do you have a point of contact so I can report them
> responsibly?
>
> How did they here about us: Other
>
> Click to visit the site
>
Date: Thu, 13 Nov 2008 20:59:46 +0000
From: Chris Smith <chris@[removed]>
To: Richard Moseley <rm@[removed]>

Richard Moseley wrote:
> I would be interested in hearing what security vulnerabilities you have
> found in the web platform, so that we can further investigate these
> problems.

I have found three XSS issues, considering the ease it took me to find
them I expect there maybe more. The prime cause seems to be sloppy
programming by not sanitising user data before it is accessed. Two of
the XSS vulnerabilities are of the more serious persistent type and the
other is non-persistent. In order of severity:

* Non-persistent XSS in search:

- - Enter the search term:
<script>alert(document.cookie);</script>
- - Click search

Result:
Users cookies are displayed in a message box.

Severity:
Minor would require social engineering to get people to enter a
malicious search term.

* Persistent XSS in user "My details":

- - Login
- - Set first name to:
<script>alert(document.cookie);</script>
- - Click update
- - Logout
- - Login

Result:
Users cookies are displayed in a message box.

Severity:
Minor requires social engineering again to accomplish and it is per user.

Notes:
This is also a problem for "last name" and probably some of the other
fields.

* Persistent XSS in news comments:

- - Find a news article you can comment on
- - Enter the comment:
<script>alert(document.cookie);</script>
- - Click post

Result:
Users cookies are displayed in a message box.

Severity:
Severe once posted the attack works against anyone viewing the site,
with some elaborate JavaScript it would be possible to trap data entry
to the username and password box capturing the input and sending it to a
remote server. Or if a user is logged in you could combine this attack
with the second issue I mentioned to silently modify the users "first
name" using an XmlHttpRequest to include another XSS which persisted on
all pages they visited on the site.

>> How did they here about us: Other

Spelling error "here" instead of "hear".
From: Richard Moseley <rm@[removed]>
To: chris+sumarketing.co.uk@[removed]
Date: Thu, 13 Nov 2008 21:20:48 +0000

Hi Chris, thanks for bringing these items to our attention, i will get
someone onto these items in the morning, and advise when they have
been resolved.

Thanks

Richard Moseley
Web Developer
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential and
may be legally privileged. If you are not the intended recipient's),
you must not read, use, distribute or disseminate this email or the
information in it save to the intended recipient's) nor take any
action in reliance on it. If you receive this email or any attachments
in error, please notify us immediately by email or by telephoning 0845
1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or any
attachments.this email or any attachments.
Date: Sat, 15 Nov 2008 14:51:40 +0000
From: Chris Smith <chris@[removed]>
To: Richard Moseley <rm@[removed]>

Richard Moseley wrote:
>
> Hi Chris, thank you for bringing these items to our attention. These
> have now been resolved.

I notice your resolution seems to be to use strip_tags() to remove tags
while this is all well and good it doesn't address everything.
Ampersands are still inserted into the HTML un-escaped, this is not
going to cause an XSS attack but it causes invalid HTML to be outputted.
More worryingly if you have any code that inserts user input into a tag
attribute, which is not an entirely unreasonable scenario, strip_tags()
will do squat all to protect you. For example if you take a string from
the user and place it into the href attribute of an anchor and use
strip_tags() to protect yourself, I could send a string like this:

" onmouseover="alert(document.cookie);" dummy="

This assumes you have some code like

<a href="/xyz/<?php echo strip_tags($_GET['var']); ?>/index.php">

This would result in the following:

<a href="/xyz/" onmouseover="alert(document.cookie);" dummy="/index.php">

The solution is to use htmlspecialchars() which ensures double quotes,
ampersands and angle brackets are escaped. Meaning its impossible to
break out of your tags or inject new ones, one thing htmlspecialchars()
doesn't do by default is escape single quotes but you shouldn't be using
them in HTML.

It is also worth noting that strip_tags() is quite zealous with its
removal of 'tags' and will remove things like '<43' which is not
unreasonable to occur in for example a statement with a mathematical
inequality.

I would suggest either just using htmlspecialchars() or using both
functions.

I must admit I am impressed by the quick turnaround on this even if the
fix is flawed.
From: Richard Moseley <rm@[removed]>
To: chris+sumarketing.co.uk@[removed]
Date: Fri, 14 Nov 2008 08:22:13 +0000

Hi Chris, thank you for bringing these items to our attention. These
have now been resolved.

Kind Regards

Richard Moseley
Web Developer
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential and
may be legally privileged. If you are not the intended recipient's),
you must not read, use, distribute or disseminate this email or the
information in it save to the intended recipient's) nor take any
action in reliance on it. If you receive this email or any attachments
in error, please notify us immediately by email or by telephoning 0845
1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or any
attachments.this email or any attachments.
From: Richard Moseley <rm@[removed]>
Date: 15 November 2008 16:42:18 GMT
To: Chris Smith <chris@[removed]>
Subject: Re: Comments From -

Hi Chris,

Thanks for the email, we are currently doing an audit on the XSS
vulnerabilities to ensure that it does not affect any of our other
code on the system, so as a quick resolution we used the
strip_tags() route as we knew that this did not effect any of the
existing coding, while investigating any potential impact of using
htmlspecialchars() on the system including the forums, and issues
caused as a consequence.

Once we have completed this assessment we will convert the system
over to using htmlspecialchars() instead.

Thanks for the update and the feedback you have provided on this
matter.

Kind Regards

Richard Moseley
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential
and may be legally privileged. If you are not the intended
recipient's), you must not read, use, distribute or disseminate this
email or the information in it save to the intended recipient's) nor
take any action in reliance on it. If you receive this email or any
attachments in error, please notify us immediately by email or by
telephoning 0845 1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or
any attachments.

About Chris

Twenty-something year old computer science graduate living in the West Midlands, working as a PHP software developer for a local company.
This entry was posted in Life, Security, University, Web and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>