Full Disclosure mailing list archives
Re: eResourcePlanner Authentication Bypass/SQL Injection
From: xnite () xnite org
Date: Fri, 5 Jul 2013 11:52:10 +0000
You are absolutely correct, I did leave out the fact that it is quite obvious passwords are not hashed in the database, otherwise the lcase would be useless, and they might instead be using the md5 or sha1 function instead. So that is once again another minor security issue which is included in this nasty group of bugs. It's honestly hard to believe that companies would use this vendor at all considering that there are so many other great options out there *cough*google apps provides erp*cough*. I do appreciate you raising that concern Adam. Yet another flaw is that the pages *should* include a noindex/nofollow tag to be sure that these pages are NOT indexed. These pages should remain known to only those who *need* to know about them (ie- the people who work at these companies). --- R. Whitney - Independent IT ConsultantPhone: (347)674-4835 Postal: PO Box 5984, Bloomington, IL 61702-5984 Other: My Blog (http://xnite.org) / LinkedIn (http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite) ---- Original Message ---- From: adam To: xnite () xnite org Cc: full-disclosure () lists grok org uk Sent: Fri, Jul 5, 2013, 3:05 AM Subject: Re: [Full-disclosure] eResourcePlanner Authentication Bypass/SQL Injection Just as a note, you can also use their normal domain instead of rp4me.com (http://rp4me.com). i.e. jetblue.eresourceplanner.com (http://jetblue.eresourceplanner.com) works in addition to jetblue.rp4me.com (http://jetblue.rp4me.com). Do you know if the passwords are hashed/salted in the database? Or are they all plaintext? This looks like it could become huge overnight. Especially since hsn.eresourceplanner.com (http://hsn.eresourceplanner.com) was one of the first subdomains I saw (it has to be home shopping network, right?). cough cough http://www.google.com/#q=%22If+you+experience+any+issues+accessing+your+eResourcePlanner+Tools%22+%5Bsite:rp4me.com%7Csite:eresourceplanner.com%5D&filter=0&num=100 (http://www.google.com/#q=%22If+you+experience+any+issues+accessing+your+eResourcePlanner+Tools%22+%5Bsite:rp4me.com%7Csite:eresourceplanner.com%5D&filter=0&num=100) Also, it appears to be every page (FirstTimeLogin.asp, Forgot.asp, PasswordRetrieval.asp) and not just the main login.asp file. You're right though, hopefully this gets their attention. On Fri, Jul 5, 2013 at 1:26 AM, wrote: I have been trying to contact the ERP company for the past year with a bug which could affect dozens of companies including cell phone providers, call centers, and more. eResourcePlanner provides resource planning software to companies, which are hosted on their own subdomain "rp4me.com (http://rp4me.com)". The SQL injection was stumbled upon during a legitimate login attempt in which I received an SQL error by accidentally typing an ' into my password. With minimal research it was not difficult to find that the username table on the MySQL database was "userid". Any client could simply put the following string (replacing username with their actual username or a portion of a username) into the username portion of the login field, and be logged in from that point as any user they would like. The string is on it's own line as follows: a' OR userid like '%username%' OR 'a Given that the username, or first match of the string given in the like statement matches an active account, you will be logged in now as that user. Other more minor security issues that I would like to point out are seen within an actual SQL error which looks like the following: [MySQL][ODBC 5.1 Driver][mysqld-5.5.9-log]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' AND lcase(Password) = ''' at line 1 Things that need to pointed out here are listed below: * A production machine should never be displaying the contents of an SQL error, this is a primary way an attacker may discover a vulnerability. * lcase(Password) shows us that no matter what password is given, it is converted to lower-case lettering anyway, disallowing what might be considered a "strong password". This makes brute-forcing passwords much easier. * The error string displays the version of the MySQL Server Daemon, which could be used to find other potential vulnerabilities to compromise the daemon. * MySQL Server Daemon is out of date, 5.5.9 was released February of 2011. FOR THE RECORD: I have not used this vulnerability with any malicious intent, and everything I touched was perfectly legal/ethical. I used this to login to only my account, and those of which I had permission to do so. I have tried to go the safe route for over a year and disclose this privately with the company providing the software (eresourceplanner.com (http://eresourceplanner.com)) with no response back, and I have decided at this point that it's better to make it public and hope that it will be fixed, than to keep it private while those with malicious intent may already be a ghost in the system. --- R. Whitney - Independent IT Consultant Phone: (347)674-4835 (tel:%28347%29674-4835) Postal: PO Box 5984, Bloomington, IL 61702-5984 Other: My Blog (http://xnite.org) / LinkedIn (http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html (http://lists.grok.org.uk/full-disclosure-charter.html) Hosted and sponsored by Secunia - http://secunia.com/ (http://secunia.com/)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- eResourcePlanner Authentication Bypass/SQL Injection xnite (Jul 05)
- Re: eResourcePlanner Authentication Bypass/SQL Injection adam (Jul 05)
- <Possible follow-ups>
- Re: eResourcePlanner Authentication Bypass/SQL Injection xnite (Jul 05)
- Re: eResourcePlanner Authentication Bypass/SQL Injection adam (Jul 05)