siv/github.io
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Back in business writing apprentice docs!~

Browse Source
This commit is contained in:
Sivert V. Sæther
2022-08-08 08:47:33 +00:00
parent 4039da1a63
commit 798debc3e3
15 changed files with 230 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
content/blog/apprentice/security/sircon.en.md Normal file
View File

@@ -0,0 +1,43 @@
---
date: 2022-07-04T13:12:00Z
draft: false
aliases: []
categories: ['apprentice']
series: ['hacking', 'security']
tags: ['apprentice', 'tech', 'bug']
chroma: true
toc: true
title: Sircon
description: Security issues I found at Sircon AS. They were all fixed quickly by the responsible persons.
---
These guys have a few beefy ass physical servers in their own rack in a supposedly EMP and fire safe room in the basement of their offices.
Those physical machines run virtual machines that run WHM/cPanel and whatever PHP app the customer would like.
But >90% of their customers are non-technical and just only interact with the default WordPress setup and maybe the e-mail service that comes with their cPanel.
Most of the people calling in to their support line has problems using their e-mail, and it's usually the end user who fucked up.
## Servers
Have you ever used Apache httpd? Have you ever used its .htaccess config?
Well it's pretty cool, but may pose a threat on shared "web hotels" like WHM servers running a whole lot of cPanel accounts.
If using .htaccess is allowed users may set their own configuration options for httpd.
And the issue I identified here was the fact that cgi configuration options where allowed in .htaccess.
So I had some fun making wired cgi scripts in python, perl and bash.
The last thing I did before disclosing it to Sircon's server guy was to make a proof of concept script that gave me a shell on the server.
As they don't allow ssh access and PHP is configured to not allow anything dangerous, like the system() function, that would allow you to create shells.
Example .htaccess to run cgi scripts.
{{< highlight apache >}}{{% asset "apprentice/security/htaccess" %}}{{< /highlight >}}
The fix for this is the [AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) directive.
Just make sure it does not include "FileInfo".
## WordPress
I found a bug on their homepage [sircon.no](https://sircon.no) where they have a simple WordPress shop with a couple of cool features, like [this](https://sircon.no/sjekk-om-din-nettbutikk-nettsted-driftes-miljovennlig/) where you supposedly can check how green a web page is. As in green energy.
The bug I found was missing server side validation and a shopping cart that's stored in the browsers local storage with price specified.
This is a pretty minor issue however, as they don't do automatic provisioning, and it only gets added to some internal webpage they use to keep track of everything.
But whatever you posted as the price would show up in that tool.
You could even post negative prices!