OLG Säuliamt Anmeldung - SOLV-DB Exploit (#mvid5)

Document Title:
anmeldung.olg-saeuliamt.ch - SOLV-DB Exploit

mosi Vulnerability ID (mvid):

Discovery Status:
Patched - Public Disclosure

CVSSv2 Overall Score:

CVSSv2 Vector:


Product & Service Introduction:
The orienteering group (OLG) Säuliamt is an organizer of orienteering competitions. For timekeeping they use the system SPORTident, which requires a runner's registration. To handle this in an easy way, they created an online registration application, available through https://anmeldung.olg-saeuliamt.ch.

Simon Monai found a vulnerability in the source code of the registration form. Using the exploit it is possible to gather the runner's SOLV-ID* and (with a second step) it's mail address together with other information.

* The SOLV-ID is an unique identifier used for the runner’s database of the Swiss orienteering federation (SOLV).

Report Timeline:
2017-01-16: Vendor information
2017-01-16: Vendor acknowledge
2017-01-16: Patch release
2017-01-17: Patch approved by mosi Security Research

Affected Products:
OLG Säuliamt - 39. Säuliämtler OL preregistration form

Exploitation Technique:

Security Level:

Technical Details & Description:
Some privacy violating information is included
Request Method(s):
[+] POST

Vulnerable Module(s):
[+] https://anmeldung.olg-saeuliamt.ch/sol-2017/entry/step1
[+] https://anmeldung.olg-saeuliamt.ch/sol-2017/entry/step2
[+] https://anmeldung.olg-saeuliamt.ch/sol-2017/entry/step3

Vulnerable Parameter(s):
[+] EntryStep1saForm[solvnumber]
[+] EntryStep3Form[email]

Proof of Concept (PoC):
By visitting the entry site (https://anmeldung.olg-saeuliamt.ch/sol-2017/entry/step1), two forms (all with POST-Requests) are loaded (simplified):

<form id="step1sa-form" action="/sol-2017/entry/step1" method="post" role="form">
<input type="hidden" name="_csrf" value="OW1Qa0EtZkUOFzk9AkdVfHEkPCgiTCcyZi8XGDdVXzx9Dxo7O0UiEw==">
<input type="text" id="entrystep1saform-solvnumber" class="form-control" name="EntryStep1saForm[solvnumber]" autofocus="">
<button type="submit" class="btn btn-primary" name="next-step-button1">Weiter zum nächsten Schritt</button>
<form id="step1sb-form" action="/sol-2017/entry/step1" method="post" role="form">
<input type="hidden" name="_csrf" value="OW1Qa0EtZkUOFzk9AkdVfHEkPCgiTCcyZi8XGDdVXzx9Dxo7O0UiEw==">
<input type="text" id="entrystep1sbform-firstname" class="form-control" name="EntryStep1sbForm[firstname]">
<input type="text" id="entrystep1sbform-familyname" class="form-control" name="EntryStep1sbForm[familyname]">
<input type="text" id="entrystep1sbform-yearofbirth" class="form-control" name="EntryStep1sbForm[yearofbirth]">
<button type="submit" class="btn btn-primary" name="next-step-button2">Weiter zum nächsten Schritt</button>

With entering the runner's information (Hanst, Muster, 1990; which all might be simply gathered from rankings) into the second form (it's id is "step1sb-form"), a second form is loaded (simplified):

<form id="step2sb-form" action="/sol-2017/entry/step2" method="post" role="form">
<input type="hidden" name="_csrf" value="dFNCTmFPZnJDKSsYIiVVSzwaLg0CLicFKxEFPRc3XwswMQgeGyciJA==">
<input type="hidden" id="entrystep1saform-solvnumber" class="form-control" name="EntryStep1saForm[solvnumber]" value="AB1CDE">
<button type="submit" class="btn btn-primary" name="next-step-button" autofocus="">Ja – Weiter zum nächsten Schritt</button>
<a class="btn btn-primary" href="/sol-2017/entry/step3">Nein – Daten im nächsten Schritt von Hand eingeben</a>

As it is visible, the generated code contains inline the SOLV-ID (value of "EntryStep1saForm[solvnumber]"). Even though the mail address and the solv-id are not displayed on the site, a user analyzing the source code can extract this information.

To go further, with the knowledge of the SOLV-ID all runner's information could be gathered on the official SOLV-DB page (http://www.o-l.ch/cgi-bin/solvdb). If the mail address is enough information, a second exploit on the registration site could be abused:

After collecting the runner's SOLV-ID, this value could be inserted into the first form on the entrace form (https://anmeldung.olg-saeuliamt.ch/sol-2017/entry/step1). On the following site (after sending the request) there is a new form, containing the mailadress (code simplified):

<div class="entry-name">Hans Muster</div>
<table class="entry-data">
<tr><td>Wohnort:</td><td>8524 Uesslingen</td></tr>
<form id="step3sa-form" action="/sol-2017/entry/step3" method="post" role="form">
<input type="hidden" name="_csrf" value="WTJxbmVkV0duSBg4Jg5kfhF7HS0GBRYwBnA2HRMcbj4dUDs.HwwTEQ==">
<input type="hidden" id="entrystep3form-yearofbirth" class="form-control" name="EntryStep3Form[yearofbirth]" value="1997">
<input type="hidden" id="entrystep3form-gender" class="form-control" name="EntryStep3Form[gender]" value="M">
<input type="hidden" id="entrystep3form-town" class="form-control" name="EntryStep3Form[town]" value="Uesslingen">
<input type="hidden" id="entrystep3form-club" class="form-control" name="EntryStep3Form[club]" value="thurgorienta">
<input type="text" id="entrystep3form-sicard" class="form-control" name="EntryStep3Form[sicard]" value="7140975">
<input type="hidden" name="EntryStep3Form[publictransport]" value="0">
<input type="checkbox" id="entrystep3form-publictransport" name="EntryStep3Form[publictransport]" value="1">Anreise mit öffentlichem Verkehr
<input type="hidden" name="EntryStep3Form[nursery]" value="0">
<input type="checkbox" id="entrystep3form-nursery" name="EntryStep3Form[nursery]" value="1">Kind für Kinderhort anmelden
E-Mail-Adresse für Anmeldebestätigung und Rückfragen
<input type="text" id="entrystep3form-email" class="form-control" name="EntryStep3Form[email]" value="Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!" autofocus="">
<button type="submit" class="btn btn-primary" name="next-step-button">Weiter zur Auswahl der Kategorie</button>
<a class="btn btn-default btn-danger" href="/sol-2017">Anmeldung abbrechen</a>

Even if it is necessary to do two requests, the mail address is really easy to collect, not only because it is directly shown on the user's display but also because there is the linking between SOLV-ID and mail address.


Possible Solution:
It is highli recommended to use session vars on the website instead of storing the information on the client's side. Further it is supposed to ad a switch like 'use the information out of the SOLV-DB or set a custom mail address', where the mail address can be defined without showing.

Security Risk:
The vulnerability is assumed as medium with high exploitability. (CVSSv2 4.5)

Author / Credits:
mosi security research - Simon Monai (https://jongliertricks.ch/kontakt)

Public Disclosure:
2017-01-17 - https://jongliertricks.ch/mosi-security-research/38