CSP-CERT® Vulnerability Report:
Confirmed Web Vulnerabilities for Dumping Root Access and Dump in One Shot Attack

by Klammer
posted June 2017

CSP CERT® was contacted and notified to remediate a reported website with vulnerabilities: https://vulnerable.ph/news.php[REDACTED]. The website has 2 confirmed web vulnerabilities & one probable SQL Injection vulnerability which are critical issues reported from a public contributor aka Klammer. We thank you for your contribution in making the Philippine cyber space secure. Here are the details reported and confirmed:

Let's focus first on the vulnerability called Insecure Transportation Security Protocol Supported (SSLv2). SSLv2 has several flaws. For example, your secure traffic can be observed when you have established it over SSLv2. Impact of this vulnerability?

Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors. Also an attacker can exploit vulnerabilities like drown attack. To fix this vulnerability, configure your web server to disallow using weak ciphers.

Let's move on to our next vulnerability which is "Cross-site Scripting”. So what is XSS or cross site scripting vulnerability?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser.

Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

There are many different attacks that can be leveraged through the use of cross-site scripting including:

  • Hijacking user's active session.
  • Mounting phishing attacks.
  • Intercepting data and performing "Man-in-the-middle attacks".

The issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, output should be encoded according to the output location and context. XSS filtering is a feature that's enabled by default in some of the modern browsers. Even though browsers have certain checks to prevent cross-site scripting attacks in practice there are a variety of ways to bypass this mechanism therefore a web application should not rely on this kind of client-side browser and it should only be disabled temporarily to test exploits and should be reverted back to disabled if the browser is actively used other than testing purposes.

For the last web vulnerability, it was discovered that there is a probable SQL injection vulnerability. The impact of this vulnerability?

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

  • Reading, updating and deleting arbitrary data/tables from the database.
  • Executing commands on the underlying operating system.

As a minimum use database access layer (DAL) to help centralize the issue and its resolution. You can also use object relational mapping (ORM). Most ORM systems use parameterized queries and this can solve many if not all SQL injection based problems.