Friday, September 12, 2014

CoolPeople critical vulnerabilities fixed (affecting 100k+ users)

Finally I found some time to make a blog post :)

CoolPeople, world-wide Czech-based sourcing company, fixed recently many critical flaws in their apps.

Freelancers registers and work through them for customers, CoolPeople takes care of the business and payment part.

I won't list all flaws here, only the categories:
  • Arbitrary (Remote) Code Execution
  • Unrestricted File Upload
  • OS Command Injection
  • Wrong Credentials Management
  • XSS
  • CSRF
  • Missing Authorization
  • Other less important issues (https config, cookie flags, etc.)
Beside others, all invoices, bank account details, signatures, contacts, CVs and all other uploaded files into system were freely accessible by anyone using URL manipulation.

----

Their apps run on AstraSystems framework with the same issues affecting all their customers and their private data:
  • Customer accounts (CRM)
  • Customer apps configuration (incl. passwords) and DB dumps
  • Internal business documents
  • etc.

Some screenshots for fun:

Plain-text password in DB
PHP shell
Stored XSS

-----
Timeline:
July 3, 2014 ... August 14, 2014 – Working together to fix the flaws
August 15, 2014 – The most critical flaws are fixed, the rest will come with site redesign (I hope)

Thursday, September 4, 2014

How Apache Directory Listings Can Compromise Your Server

Do you think allowed Directory Listings is a minor security issue or no issue at all?

It's not.

Why?

See:


(DB backup with site passwords and others)