Document Title:
===============
solvDB - Leaking SOLV-ID
mosi Vulnerability ID (mvid):
===============
9
Discovery Status:
=============
Patched - Public Disclosure
CVSSv2 Overall Score:
===============
6.2
CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:M/IR:M/AR:M)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:M/IR:M/AR:M)
Product & Service Introduction:
==============
The solvDB is a central runner database used for simplifying the organisation and registration of runners for orienteering competitions in Switzerland and is provided by the Swiss Orienteering federation.
Every runner has it's own runner ID, which is central for the registration on events.
Abstract:
==============
Simon Monai found a way to extract the SOLV-ID* from every runner in the solvDB (runner's database of the Swiss orienteering federation ->) using the "get-my-id" form on the website. Knowing the ID allows the attacker to collect personal information about the person.
* The SOLV-ID is the unique identifier of the runner’s database and used for login and identification on other services.
Report Timeline:
==============
2018-04-05: Vulnerability detected
2018-04-05: Vendor informed
2018-04-26: Vendor released patch
2018-04-28: Patch approved by mosi security research
2018-04-28: Public disclosure
Affected Products:
=============
Swiss Orienteering Runner's Database - Online Form
Exploitation Technique:
=============
HTTP Form Manipulation together with a mail analyzer. (Remote)
Security Level:
=============
Medium
Weiterlesen: solvDB - Leaking SOLV-ID (#mvid9)
On June 16th, 2017, picoEVENTS was attacked and the Database hacked. Afterwards, picoEVENTS hired mosi security research to analyse this event.
A detailed technical report was written, available for free. While analysing the case, three vulnerabilities were found and reportet to the vendor. The vulnerability documentations can be found on these pages:
All vulnerabilities have been fixed by the vendor with assistance by mosi security research.
Document Title:
===============
entry.picoevents.ch - Persistent XSS Attack
mosi Vulnerability ID (mvid):
===============
8
Discovery Status:
=============
Vendor informed
CVSSv2 Overall Score:
===============
6.2
CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:L/TD:M/CR:H/IR:M/AR:M)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:L/TD:M/CR:H/IR:M/AR:M)
Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/
Abstract:
==============
Namo Flury found a persistent cross site scripting vulnerability in the registration form of a competition by changing a value in the input fields to javascript code.
Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-08-14: Vendor reminded
2017-08-15: Vendor requested more information
2017-09-07: Vendor asked for more time (granted)
2017-09-12: Vendor provided patch
2017-09-12: Patch rejected by mosi security research (not working)
2017-09-25: Vendor asked for more time (granted)
2017-10-03: Vendor released patch
2017-10-03: Patch approved by mosi security research
2017-10-03: Public Disclosure
Affected Products:
=============
picoEvents entry form
Exploitation Technique:
=============
Persistent XSS
Security Level:
=============
Medium
Weiterlesen: entry.picoevents.ch - Persistent XSS Attack (#mvid8)
Document Title:
===============
entry.picoevents.ch - Competition Registration ID check fails
mosi Vulnerability ID (mvid):
===============
7
Discovery Status:
=============
No Fix Necessary
CVSSv2 Overall Score:
===============
4.2
CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:L/IR:L/AR:M)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:L/IR:L/AR:M)
Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/
Abstract:
==============
Simon Monai & Namo Flury found a vulnerability, whith whom it's possible enter registration information that is not expected as registration input.
Report Timeline:
==============
2017-06-19 - Analysis of server attack requested by vendor
2017-06-19 - Vulnerability detected
2017-06-19 - Vendor informed
2017-08-14 - Vendor reminded
2017-08-15 - Vendor reply - no fix necessary
2017-08-30 - Public Disclosure
Affected Products:
=============
entry.picoevents.ch - Multisport & Orienteering Competition Registration Form
Exploitation Technique:
=============
Request Forgery
Security Level:
=============
Medium
Weiterlesen: entry.picoevents.ch - Competition Registration ID check fails (#mvid7)
Document Title:
===============
entry.picoevents.ch - SQL-Injection Vulnerability
mosi Vulnerability ID (mvid):
===============
6
Discovery Status:
=============
Patched - Public Disclosure
CVSSv2 Overall Score:
===============
9.6
CVSSv2 Vector:
==============
(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)
Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/
Abstract:
==============
Simon Monai found together with Timo Kübler and Namo Flury a SQL-injection vulnerability in the web form. It was abused to delete the competitions stored in the database on the webserver.
Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-06-20: Vendor acknowledge
2017-06-20: Vendor applied workaround
2017-06-21: Patch provided by mosi security research
2017-06-21: Patch faulty
2017-06-26: New patch by mosi security research
2017-06-26: Patch approved by mosi security research
2017-06-27: Public Disclosure
Affected Products:
=============
entry.picoevents.ch - Multisport Registration Page
Exploitation Technique:
=============
SQL Injection
Security Level:
=============
Critical
Weiterlesen: entry.picoevents.ch - SQL-Injection Vulnerability (#mvid6)
Document Title:
===============
anmeldung.olg-saeuliamt.ch - SOLV-DB Exploit
mosi Vulnerability ID (mvid):
===============
5
Discovery Status:
=============
Patched - Public Disclosure
CVSSv2 Overall Score:
===============
4.5
CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)
Product & Service Introduction:
==============
The orienteering group (OLG) Säuliamt is an organizer of orienteering competitions. For timekeeping they use the system SPORTident, which requires a runner's registration. To handle this in an easy way, they created an online registration application, available through https://anmeldung.olg-saeuliamt.ch.
Abstract:
==============
Simon Monai found a vulnerability in the source code of the registration form. Using the exploit it is possible to gather the runner's SOLV-ID* and (with a second step) it's mail address together with other information.
* The SOLV-ID is an unique identifier used for the runner’s database of the Swiss orienteering federation (SOLV).
Report Timeline:
==============
2017-01-16: Vendor information
2017-01-16: Vendor acknowledge
2017-01-16: Patch release
2017-01-17: Patch approved by mosi Security Research
Affected Products:
=============
OLG Säuliamt - 39. Säuliämtler OL preregistration form
Exploitation Technique:
=============
Remote
Security Level:
=============
Medium
Weiterlesen: OLG Säuliamt Anmeldung - SOLV-DB Exploit (#mvid5)
