LocalTapiola: CORS misconfiguration allows to steal client's "password", Authorization token and the customer details e.g. names, SSN, bank account etc.

Issue The reporter found that ext-gw.lahitapiola.fi had a faulty CORS configuration. Fix Logic and processing around CORS was improved and the issue was fixed. Reasoning The issue is real. CORS as a bug and flaw has real impact. The report was well written and had a good working PoC. This is...

LocalTapiola: User Information Disclosure via the REST API - /?_method=GET

Basic report information Summary: browser access to www.lahitapiolarahoitus.fi/wp-json is restricted for general public but it is still be accessible through which User information is leaked. Description: By default Wordpress allow public access to Rest API to get information about all users...

LocalTapiola: User Information Disclosure via Json response

User Information Disclosure via Json response on a specific api end point POC URL: https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/users/ Refernce: https://wpvulndb.com/wordpresses/462 Impact attacker can user those info for advance attack as bruteforce login...

LocalTapiola: Reflected XSS of bbe-child-starter Theme via "value"-GET-parameter

This bug is related to 324442. And xss in other url. poc: https://www.lahitapiolarahoitus.fi/wp-content/themes/bbe-child-starter/bbe-engine/assets/actions/bbeopenhtmleditorpopup.php?attribute=%27%3C/script%3E%3Cbody%20onload&value=alertdocument.cookie Impact -Make admin-user run malicious...

LocalTapiola: WordPress username enumeration (/author)

If permalinks are enabled, in many WordPress installations it is possible to enumerate all the WordPress usernames iterating through the author archives. Whenever a post is published, the username or alias is shown as the author. For example, the URL http://site.com/?author=1 will show all the...

LocalTapiola: Authorization issue on 'valtakirjat' (/e2/verkkopalvelu/)

Issue The reporter found some inconsistencies related to authorizations and access between family members. Fix The application was fixed in a monthly release. Reasoning The issue was valid and the reporter provided a lot of valuable information for us to go on including traces, screenshots and...

LocalTapiola: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)

Summary: the "/system/images" URL accepts a Base-64 encoded string, which is in turn used to convert images from the local disk before displaying them to the user. The website fails to validate the user input, allowing arbitrary bash command injection. Description: When surfing the...

LocalTapiola: PHPMYADMIN Setup is accessible without authentication on https://lml.lahitapiola.fi/

Vulnerability Detail PhpMyAdmin setup page is accessible over the internet in which it's possible for the user setup the servers with required details. Vulnerable Endpoint https://lml.lahitapiola.fi/admin/phpMyAdmin/setup/index.php Attached screenshots F246247 F246248 Impact Its possible for an...

LocalTapiola: Verbose error message reveals internal system hostnames, protols and used ports (yrityspalvelu.tapiola.fi)

Issue The reporter found an error page that contained a reference to a server name + port in the internal network. No actual vulnerability or weakness was reported. Fix The error page was changed to a static page. Reasoning Trivial error page injection reports will not be accepted for this domain...

LocalTapiola: High server resource usage on captcha (viestinta.lahitapiola.fi)

Short summary Hi, I noticed that the following report has been fixed and closed, however the bug has reappeared in different parameters: https://hackerone.com/reports/204208 Basic report information Summary: It is possible to generate a simple request which creates a high cpu/bandwidth consumptio...

LocalTapiola: Possible sweet32 lahitapiola.fi

Hello Team. I run the nmap with ssl-enum script to look for new Vulnerability that is known as "SWEET32" Detail about sweet32 vuln: Cryptographic protocols like TLS, SSH, IPsec, and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES, and Blowfish, to encrypt data between client...

LocalTapiola: Reflected XSS Vulnerability in www.lahitapiola.fi/cs/Satellite

Issue The reporter found issues related to previous reports, namely 170532 aka. the gift that keeps on giving. This time the page pagename=TAArchiveWrapper and the localisation -parameter was vulnerable to XSS. Fix Additional protections were tested and put in place. Reasoning Mitigating issues a...

LocalTapiola: Single user DOS on selectedLanuage -cookie at (verkkopalvelu.tapiola.fi)

Issue The reporter was able to craft a direct URL that triggered a single user denial of service by modifying a cookie. The affected user had to manually delete the selectedLanguage -cookie to resolve the situation. Fix The issue was investigated and found to be valid. Reasoning The reported case...

LocalTapiola: XSS on 3rd party service Localtapiola is using

Basic report information Summary: Localtapiola is using careers.fi service to job applicants at http://www.lahitapiola.fi/tietoa-lahitapiolasta/toihin-meille/avoimet-tyopaikat/haemme-juuri-nyt Description: XSS on 3rd party careers.fi job service which may lead loss of personal data for the...

LocalTapiola: HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti

Basic report information Summary: HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti Description: Tonttutesti´s kutsu kaverisi feature sends email to friend with a link to Localtapiola´s tonttutesti site. Fields "Nimesi" and "Kaverisi nimi" seem to be vulnerable...

LocalTapiola: /icons/README is still available on viestinta.lahitapiola.fi

Issue The reporter found a default Apache file on the server which was supposedly fixed in a previous report. Fix The directory was deemed unnecessary and removed. Reasoning The issue was very trivial, but as it was fixed, a bounty was awarded to the reporter...

LocalTapiola: show control page if you insert ' at http://viestinta.lahitapiola.fi/

Issue The reporter found that one error page that could be triggered had an outer "frame" that contained some administrative menus and a logoff-button. The menus were visible but as the user was not logged on, had no real functionality enabled. The logoff-button was mereley misinforming. Fix The...

LocalTapiola: High server resource usage on captcha (viestinta.lahitapiola.fi)

Basic report information Summary: It is possible to generate a simple request which creates a high cpu/bandwidth consumption from the server by abusing the captcha servlet Description: By sending a specially crafted request and changing the height/width parameters in the captcha form it is possib...

LocalTapiola: Single user DOS on selectedLanguage -cookie (yrityspalvelu.lahitapiola.fi)

Hey, I have found a way in which any attacker will send a link to user, and user will not able to use any of the service provided by lahitapiola. Steps to reproduce: 1: copy link...

LocalTapiola: Enumeration in unsubscribe -function of /omatalousuk (viestinta.lahitapiola.fi)

Hi, I would like to report an issue where malicious user can unsubscribe any customer email subscription from viestinta.lahitapiola.fi. I am not sure if this in scope, but i took the liberty to bring forward to you, so that you can fix the bug. Impact Subscribe or unsubscribe is always a...