picoEVENTS - Database Breach Technical Report

On June 16th, 2017, picoEVENTS was attacked and the Database hacked. Afterwards, picoEVENTS hired mosi security research to analyse this event.

A detailed technical report was written, available for free. While analysing the case, three vulnerabilities were found and reportet to the vendor. The vulnerability documentations can be found on these pages:

All vulnerabilities have been fixed by the vendor with assistance by mosi security research.

entry.picoevents.ch - Persistent XSS Attack (#mvid8)

Document Title:
===============
entry.picoevents.ch - Persistent XSS Attack


mosi Vulnerability ID (mvid):
===============
8


Discovery Status:
=============
Vendor informed


CVSSv2 Overall Score:
===============
6.2


CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:L/TD:M/CR:H/IR:M/AR:M)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:L/TD:M/CR:H/IR:M/AR:M)


Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/


Abstract:
==============
Namo Flury found a persistent cross site scripting vulnerability in the registration form of a competition by changing a value in the input fields to javascript code.


Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-08-14: Vendor reminded
2017-08-15: Vendor requested more information
2017-09-07: Vendor asked for more time (granted)
2017-09-12: Vendor provided patch
2017-09-12: Patch rejected by mosi security research (not working)
2017-09-25: Vendor asked for more time (granted)
2017-10-03: Vendor released patch
2017-10-03: Patch approved by mosi security research
2017-10-03: Public Disclosure


Affected Products:
=============
picoEvents entry form


Exploitation Technique:
=============
Persistent XSS


Security Level:
=============
Medium

Weiterlesen: entry.picoevents.ch - Persistent XSS Attack (#mvid8)

entry.picoevents.ch - Competition Registration ID check fails (#mvid7)

Document Title:
===============
entry.picoevents.ch - Competition Registration ID check fails


mosi Vulnerability ID (mvid):
===============
7


Discovery Status:
=============
No Fix Necessary


CVSSv2 Overall Score:
===============
4.2


CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:L/IR:L/AR:M)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:L/IR:L/AR:M)


Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/


Abstract:
==============
Simon Monai & Namo Flury found a vulnerability, whith whom it's possible enter registration information that is not expected as registration input.


Report Timeline:
==============
2017-06-19 - Analysis of server attack requested by vendor
2017-06-19 - Vulnerability detected
2017-06-19 - Vendor informed
2017-08-14 - Vendor reminded
2017-08-15 - Vendor reply - no fix necessary
2017-08-30 - Public Disclosure


Affected Products:
=============
entry.picoevents.ch - Multisport & Orienteering Competition Registration Form


Exploitation Technique:
=============
Request Forgery


Security Level:
=============
Medium

Weiterlesen: entry.picoevents.ch - Competition Registration ID check fails (#mvid7)

entry.picoevents.ch - SQL-Injection Vulnerability (#mvid6)

Document Title:
===============
entry.picoevents.ch - SQL-Injection Vulnerability


mosi Vulnerability ID (mvid):
===============
6


Discovery Status:
=============
Patched - Public Disclosure


CVSSv2 Overall Score:
===============
9.6


CVSSv2 Vector:
==============
(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)


Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/


Abstract:
==============
Simon Monai found together with Timo Kübler and Namo Flury a SQL-injection vulnerability in the web form. It was abused to delete the competitions stored in the database on the webserver.


Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-06-20: Vendor acknowledge
2017-06-20: Vendor applied workaround
2017-06-21: Patch provided by mosi security research
2017-06-21: Patch faulty
2017-06-26: New patch by mosi security research
2017-06-26: Patch approved by mosi security research
2017-06-27: Public Disclosure


Affected Products:
=============
entry.picoevents.ch - Multisport Registration Page


Exploitation Technique:
=============
SQL Injection


Security Level:
=============
Critical

Weiterlesen: entry.picoevents.ch - SQL-Injection Vulnerability (#mvid6)

OLG Säuliamt Anmeldung - SOLV-DB Exploit (#mvid5)

Document Title:
===============
anmeldung.olg-saeuliamt.ch - SOLV-DB Exploit


mosi Vulnerability ID (mvid):
===============
5


Discovery Status:
=============
Patched - Public Disclosure


CVSSv2 Overall Score:
===============
4.5


CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)

 

Product & Service Introduction:
==============
The orienteering group (OLG) Säuliamt is an organizer of orienteering competitions. For timekeeping they use the system SPORTident, which requires a runner's registration. To handle this in an easy way, they created an online registration application, available through https://anmeldung.olg-saeuliamt.ch.


Abstract:
==============
Simon Monai found a vulnerability in the source code of the registration form. Using the exploit it is possible to gather the runner's SOLV-ID* and (with a second step) it's mail address together with other information.

* The SOLV-ID is an unique identifier used for the runner’s database of the Swiss orienteering federation (SOLV).


Report Timeline:
==============
2017-01-16: Vendor information
2017-01-16: Vendor acknowledge
2017-01-16: Patch release
2017-01-17: Patch approved by mosi Security Research


Affected Products:
=============
OLG Säuliamt - 39. Säuliämtler OL preregistration form


Exploitation Technique:
=============
Remote


Security Level:
=============
Medium

Weiterlesen: OLG Säuliamt Anmeldung - SOLV-DB Exploit (#mvid5)

SOLV-DB - Transparent Requests (#mvid4)

Document Title:
===============
SOLV-DB - Transparent Requests


mosi Vulnerability ID (mvid):
===============
4


Discovery Status:
=============
Fixed


CVSSv2 Overall Score:
===============
3


CVSSv2 Vector:
==============
(AV:A/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)


Product & Service Introduction:
==============
The SOLV-DB is a central runner database used for simplifying the organisation and registration of runners for orienteering competitions in Switzerland and is provided by the Swiss Orienteering federation.
Every runner has it's own runner ID, which is central for the registration on events.


Abstract:
==============
Due to the lack of HTTPS the requests to the SOLV-DB are not encrypted. Sniffing the network traffic can be used to gather and steal confidential information.


Report Timeline:
==============
2016-11-29 - Vendor informed
2016-12-13 - Vendor reminder
2016-12-13 - Vendor acknowledgement
2016-12-13 - Vendor needs more time for solving
2017-01-19 - Experimental fix available, asking for implementation suggestions
2017-02-02 - Vendor finished implementation, fix approved by mosi Security Research


Affected Products:
=============
Swiss Orienteering Runner's Database


Exploitation Technique:
=============
Network sniffing


Security Level:
=============
Low

Weiterlesen: SOLV-DB - Transparent Requests (#mvid4)