Full Disclosure mailing list archives
Comment Service
From: Matthew Flaschen <matthew.flaschen () gatech edu>
Date: Mon, 23 Oct 2006 17:13:10 -0400
I don't know whether anyone here uses this software, but I wanted to report this somewhere. The software in question is a subscription web service called Comment, run by Bedford St. Martins (a publisher). The main site is at http://comment.bedfordstmartins.com/ . The only version I have used or tested is http://comment.bedfordstmartins.com/CommentSMHandbook5e/ , but I suspect that the vulnerabilities extend across all the other versions. The site is designed to allow instructors to create private virtual classes, to which students can upload documents. The defining feature (obviously) is that the site allows students and professors to comment (annotate) each other's papers. There are no problems with this functionality. However, the site design is fundamentally flawed from a security point of view. The first problem is found is that through a manipulation of the url, it is possible to view arbitrary documents, regardless of whether you are in the uploader's class. The original document URLs are in form: http://comment.bedfordstmartins.com/CommentSMHandbook5e/pages/docView.asp?doc=999&a=998&DCID=997 Each parameter (doc, a, DCID) would be a different natural number. I believe doc refers to the assignment the document is intended for, a to the author, and DCID to the actual document id. These are used in links from the main document listing. Substituting an arbitrary DCID allows you to view that document, unconditionally. This is already a critical flaw, as the site is meant to be segregated into private classes; this breaches the divide by allowing the viewing of arbitrary documents from other classes. The other parameter of interest is "a". This refers to the author (or uploader) of the document. When an author views their own document, they can see all comments (and it says "your document" in the print view), even if they are private. However, the only criteria for document ownership here is the "a" parameter. So, for best results when viewing others' documents, use your own "a" parameter. Now, all comments on all documents are available. This also means the emails of the uploader, and all commenters are available; they are in plain text in the source despite the fact that the web site sends the emails using a server-side script. Thus, we have full read access to the site. The question now becomes to what extent write access is possible. It turns out this is also unlimited. Comments can be added on most documents the normal way (clicking on a word or paragraph mark). However, for the instructor documents, commenting by students is prohibited. In these cases, open the actual document frame (bottom left) separately. Then, simply type javascript:addWinOpen(5, "word") into the address bar. 5 is the natural number corresponding the word you wish to comment (in order). "word" can be replaced by "para" to comment paragraphs instead. This will open a window for editing, as the system would for ordinary comments. Editing an arbitrary comment is a bit trickier. There is a function editWinOpen(5, "word") (same parameter forms). However, it only works for your own comments; I do not think this is deliberate security. Rather, they just assume you are editing your own comment, can't find one, so start a new one (if you attempt to save this, it will give an error). So, create a new comment (using the method above if the document is locked). Then, edit this one. An edit link will be available unless the comment was created on a locked page (in this case use editWinOpen, which will work for your own comments). Once you have your own comment open for editing, open Firefox's DOM inspector (or similar). Search for name=cmtID . This is the only data the script uses to determine what comment to operate on. Luckily, there is an easy way to get the cmtID for an arbitrary comment. It's in the email link next to each comment. They are in the form: javascript:popwin(pageURL('emailCmt')+'?cmtID=999',620,435); Simply copy that cmtID out and paste it into DOM inspector. Then, copy the original comment text from the page, make desired modifications, then click save comment. The same goes for deletion. Thus, there is arbitrary read-write for comments. What can be done with others' documents? It turns out it is possible to do everything you can do with your own uploaded documents. The reason is simple. In the main document listing, there are checkboxes next to your documents, and a menu with choices of actions. However, the checkboxes use the same DCIDs noted earlier. The values are in form: DCID|FILENAME|doc Again, only DCID matters. It can be changed to any arbitrary DCID; the other text (after the | ) is ignored. Then, the menu (Copy, show/hide, delete), all applies to the document corresponding to the DCID. Thus, it is possible to hide and/or delete an arbitrary document. There is thus unlimited read/write access for the whole supposedly private site. Note: The original problem (arbitrary read access) was disclosed 1 week ago to their tech support by email. They have replied with nothing but an Autoresponse. I made a follow-up call and was told they would deal only with an instructor (even though I have documents and comments uploaded, and paid for access). Thus, I am fully disclosing here. Matthew Flaschen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Comment Service Matthew Flaschen (Oct 23)