entry.picoevents.ch - Competition Registration ID check fails (#mvid7)

Document Title:
===============
entry.picoevents.ch - Competition Registration ID check fails


mosi Vulnerability ID (mvid):
===============
7


Discovery Status:
=============
No Fix Necessary


CVSSv2 Overall Score:
===============
4.2


CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:L/IR:L/AR:M)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:L/IR:L/AR:M)


Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/


Abstract:
==============
Simon Monai & Namo Flury found a vulnerability, whith whom it's possible enter registration information that is not expected as registration input.


Report Timeline:
==============
2017-06-19 - Analysis of server attack requested by vendor
2017-06-19 - Vulnerability detected
2017-06-19 - Vendor informed
2017-08-14 - Vendor reminded
2017-08-15 - Vendor reply - no fix necessary
2017-08-30 - Public Disclosure


Affected Products:
=============
entry.picoevents.ch - Multisport & Orienteering Competition Registration Form


Exploitation Technique:
=============
Request Forgery


Security Level:
=============
Medium


Technical Details & Description:
=============
Request Method(s):
[+] GET

Vulnerable Module(s):
[+] http://picoevents.ch/entry/

Vulnerable File(s):
[+] /regist/anmeldung.php
[+] /regist/multisport/weiche_msp.php

Proof of Concept (PoC):
=============
By opening the entry form of the Bepathlon through followin URL, it was possible to register as orienteering runner instead of a Bepathlon competitor:
http://www.picoevents.ch/entry/regist/anmeldung.php?recordID=95


Possible Solution:
============
Rewrite the PHP entry form to prevent that the wrong login form is loaded.


Security Risk:
============
This vulnerability is considered as medium. (CVSSv2 4.2)


Author / Credits:
============
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)
Baumer Electric AG - Namo Flury


Public Disclosure:
============
The vendor informed mosi security research, that there is already a mechanism to protect against such attacks an no fix is necessary.
2017-08-30 - https://jongliertricks.ch/mosi-security-research/41

----------------------------
https://jongliertricks.ch/mosi-security-research