44 lines
2.6 KiB
Markdown
44 lines
2.6 KiB
Markdown
|
---
|
||
|
date: 2022-07-04T13:12:00Z
|
||
|
draft: false
|
||
|
aliases: []
|
||
|
categories: ['apprentice']
|
||
|
series: ['hacking', 'security']
|
||
|
tags: ['apprentice', 'tech', 'bug']
|
||
|
chroma: true
|
||
|
toc: true
|
||
|
title: Sircon
|
||
|
description: Security issues I found at Sircon AS. They were all fixed quickly by the responsible persons.
|
||
|
---
|
||
|
|
||
|
These guys have a few beefy ass physical servers in their own rack in a supposedly EMP and fire safe room in the basement of their offices.
|
||
|
Those physical machines run virtual machines that run WHM/cPanel and whatever PHP app the customer would like.
|
||
|
But >90% of their customers are non-technical and just only interact with the default WordPress setup and maybe the e-mail service that comes with their cPanel.
|
||
|
Most of the people calling in to their support line has problems using their e-mail, and it's usually the end user who fucked up.
|
||
|
|
||
|
## Servers
|
||
|
Have you ever used Apache httpd? Have you ever used its .htaccess config?
|
||
|
Well it's pretty cool, but may pose a threat on shared "web hotels" like WHM servers running a whole lot of cPanel accounts.
|
||
|
If using .htaccess is allowed users may set their own configuration options for httpd.
|
||
|
|
||
|
And the issue I identified here was the fact that cgi configuration options where allowed in .htaccess.
|
||
|
So I had some fun making wired cgi scripts in python, perl and bash.
|
||
|
|
||
|
The last thing I did before disclosing it to Sircon's server guy was to make a proof of concept script that gave me a shell on the server.
|
||
|
As they don't allow ssh access and PHP is configured to not allow anything dangerous, like the system() function, that would allow you to create shells.
|
||
|
|
||
|
Example .htaccess to run cgi scripts.
|
||
|
|
||
|
{{< highlight apache >}}{{% asset "apprentice/security/htaccess" %}}{{< /highlight >}}
|
||
|
|
||
|
The fix for this is the [AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) directive.
|
||
|
Just make sure it does not include "FileInfo".
|
||
|
|
||
|
## WordPress
|
||
|
I found a bug on their homepage [sircon.no](https://sircon.no) where they have a simple WordPress shop with a couple of cool features, like [this](https://sircon.no/sjekk-om-din-nettbutikk-nettsted-driftes-miljovennlig/) where you supposedly can check how green a web page is. As in green energy.
|
||
|
|
||
|
The bug I found was missing server side validation and a shopping cart that's stored in the browsers local storage with price specified.
|
||
|
This is a pretty minor issue however, as they don't do automatic provisioning, and it only gets added to some internal webpage they use to keep track of everything.
|
||
|
But whatever you posted as the price would show up in that tool.
|
||
|
You could even post negative prices!
|