Page MenuHomeVulnz
Create Task
Maniphest T17

It is possible to buy tickets for the Alhambra for 0,01 €
FixedPublic
Actions

Description

Summary

There are several hidden input fields in the page where tickets for the Alhambra can be purchased which, when manipulated in a specific way, can change the price that the system thinks a ticket is worth, thus allowing to lower its price.

Reproduction steps

  1. Open Chrome.
  2. Access https://compratickets.alhambra-patronato.es/reservarEntradas.aspx/?opc=2&gid=2&lg=es&ca=1.
  3. Open the Developer Tools and go to the Elements tab.
  4. While having the focus in the Developer Tools, press +f (or +f in macOS) and enter input[name$="$ctl00$hdComision"] in the search bar. This will highlight the following element:
<input type="hidden" name="ctl00$ContentMaster1$ucReservarEntradasAlhambra1$rptGruposEntradas$ctl00$rptEntradas$ctl00$hdComision" id="ctl00_ContentMaster1_ucReservarEntradasAlhambra1_rptGruposEntradas_ctl00_rptEntradas_ctl00_hdComision" value="0,85">
  1. Change the value from 0,85 to 0.
  2. Now do the same with each one of the 4 input fields which are next to the one we changed before, changing its values to the following:
    • Input with name [...]ctl00$hdIVAComision: 0
    • Input with name [...]ctl00$hdPrecioSinIVA: 0,01
    • Input with name [...]ctl00$hdPrecioConIVA: 0,01
    • Input with name [...]ctl00$hdPrecioConComision: 0,01

This will leave all the hidden input elements like this:

<input type="hidden" name="ctl00$ContentMaster1$ucReservarEntradasAlhambra1$rptGruposEntradas$ctl00$rptEntradas$ctl00$hdComision" id="ctl00_ContentMaster1_ucReservarEntradasAlhambra1_rptGruposEntradas_ctl00_rptEntradas_ctl00_hdComision" value="0">
<input type="hidden" name="ctl00$ContentMaster1$ucReservarEntradasAlhambra1$rptGruposEntradas$ctl00$rptEntradas$ctl00$hdIVAComision" id="ctl00_ContentMaster1_ucReservarEntradasAlhambra1_rptGruposEntradas_ctl00_rptEntradas_ctl00_hdIVAComision" value="0">
<input type="hidden" name="ctl00$ContentMaster1$ucReservarEntradasAlhambra1$rptGruposEntradas$ctl00$rptEntradas$ctl00$hdPrecioSinIVA" id="ctl00_ContentMaster1_ucReservarEntradasAlhambra1_rptGruposEntradas_ctl00_rptEntradas_ctl00_hdPrecioSinIVA" value="0,01">
<input type="hidden" name="ctl00$ContentMaster1$ucReservarEntradasAlhambra1$rptGruposEntradas$ctl00$rptEntradas$ctl00$hdPrecioConIVA" id="ctl00_ContentMaster1_ucReservarEntradasAlhambra1_rptGruposEntradas_ctl00_rptEntradas_ctl00_hdPrecioConIVA" value="0,01">
<input type="hidden" name="ctl00$ContentMaster1$ucReservarEntradasAlhambra1$rptGruposEntradas$ctl00$rptEntradas$ctl00$hdPrecioConComision" id="ctl00_ContentMaster1_ucReservarEntradasAlhambra1_rptGruposEntradas_ctl00_rptEntradas_ctl00_hdPrecioConComision" value="0,01">
  1. Now click the + button next to Entrada Alhambra General in order to add one ticket.
  2. You'll immediately see that the final price is now 0,01 € instead of the 14,85 € that costs the ticket.

Screenshot 2019-08-19 at 16.08.15.png (1×1 px, 212 KB)

  1. Click the Paso 2 button and follow the remaining steps in order to purchase the ticket (select an available day to visit the Alhambra, a valid hour for the palacios nazaríes, enter your personal details, and finally click the Finalizar compra button).
  2. After doing this, you'll be redirected to https://sis.redsys.es/sis/realizarPago in order to enter the credit card details and pay 0,01 €.

Screenshot 2019-08-19 at 16.15.23.png (1×1 px, 216 KB)

  1. After entering the credit card details, a 0,01 € transaction is made and the ticket is sent to the email entered in the form.

Attack vector

This vulnerability can be used obviously to get tickets for the Alhambra for 0,01 €.

Suggested resolution

It seems like the system saves the ticket price in the HTML structure of the site, and when a ticket is added, this value is sent back to the server and is used to compute the total price. In order to fix this vulnerability issue, the server-side code should be rewritten in order to not trust the ticket price saved in the HTML code, but get it directly from the database where the prices are set (or wherever it is saved), but never trusting user input.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Vendor
Hiberus-IACPOS
Product
Venta oficial de entradas de La Alhambra y el Generalife
Reported
Aug 19 2019, 2:28 PM
Deadline
154

Event Timeline

avm99963 triaged this task as Priority-1 priority.Aug 19 2019, 5:18 PM
avm99963 created this task.
Douglasbot changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Nov 19 2019, 6:13 AM

The deadline has been exceeded -- automatically publishing vulnerability report.

avm99963 changed the visibility from "Public (No Login Required)" to "avm99963 (Adrià Vilanova Martínez)".Nov 19 2019, 7:25 AM
avm99963 changed the visibility from "avm99963 (Adrià Vilanova Martínez)" to "Restricted Project (Project)".Nov 19 2019, 9:07 AM
Douglasbot changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Nov 20 2019, 6:13 AM

The deadline has been exceeded -- automatically publishing vulnerability report.

avm99963 changed the visibility from "Public (No Login Required)" to "Restricted Project (Project)".Nov 20 2019, 9:38 AM
avm99963 removed Deadline.
avm99963 closed this task as Fixed.Nov 27 2019, 10:57 PM

Since I reported the vulnerability in August, I only contacted them once again on Sep 2 to confirm whether they received the vulnerability details or not. They didn't reply and so I didn't know whether they actually received it.

I thought of sending them another email to make sure that they received the vulnerability details, but the university course started, and as this is the busiest semester I've had in my university life, I completely forgot to contact them again until now that the disclosure deadline elapsed. I'll comment this with more detail in the bottom section of this comment.

That being said, I have tried to reproduce the vulnerability right now via the reproduction steps outlined in this report, and step 10 fails, because instead of redirecting to the credit card details screen, the web shows an error stating that something went wrong. Because of this, I've sent an email to IACPOS in order for them to confirm to me whether they solved the vulnerability or not.

Unfortunately I didn't realize that the disclosure deadline was about to elapse, and so the day that it was exceeded this report was published automatically by Douglasbot. Some time after I woke up I realized that, and I quickly changed its visibility back to restricted because I hadn't still contacted the vendor to confirm that the vulnerability was fixed. The following day, the vulnerability was automatically published again because I forgot to change the deadline, and so I had to reverse that too.

This was all my complete fault and it is unacceptable, so I would like to apologize. In order to prevent this from happening again in the future, I will make Douglasbot send me email notifications several days ahead of the vulnerability disclosure deadline, so I'm fully aware that the report will be automatically published and I'm given the opportunity to stop it in cases like this, in which I didn't proactively contact the vendor several times to ensure that the vulnerability got fixed.

avm99963 added a comment.Jan 13 2020, 1:19 PM

I haven't received any response, so I just sent them an email saying that I'll set this report to be autopublished in a week (which means setting the deadline field to 154 days), given that I verified that the issue was fixed.

avm99963 set Deadline to 154.Jan 13 2020, 1:19 PM
Douglasbot changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Jan 22 2020, 6:13 AM

The deadline has been exceeded -- automatically publishing vulnerability report.