SOLV-DB - Transparent Requests (#mvid4)
SOLV-DB - Transparent Requests
mosi Vulnerability ID (mvid):
CVSSv2 Overall Score:
Product & Service Introduction:
The SOLV-DB is a central runner database used for simplifying the organisation and registration of runners for orienteering competitions in Switzerland and is provided by the Swiss Orienteering federation.
Every runner has it's own runner ID, which is central for the registration on events.
Due to the lack of HTTPS the requests to the SOLV-DB are not encrypted. Sniffing the network traffic can be used to gather and steal confidential information.
2016-11-29 - Vendor informed
2016-12-13 - Vendor reminder
2016-12-13 - Vendor acknowledgement
2016-12-13 - Vendor needs more time for solving
2017-01-19 - Experimental fix available, asking for implementation suggestions
2017-02-02 - Vendor finished implementation, fix approved by mosi Security Research
Swiss Orienteering Runner's Database
Technical Details & Description:
Request method (s):
[+] GET (Possible, not used)
Proof of Concept (PoC):
By sniffing the network traffic (for example with a man-in-the-middle-attack) and decoding the with gzip compressed answer the complete user form could be gathered. This includes the runner's ID, his mail address, his mobile number and further confidential data.
Enable HTTPS on the webserver to prevent sniffing or Man-in-the-middle-attacks. Further disable the possibility to send GET-requests. In that way also URL-Sniffing is useless.
By enabling HTTPS and the HTTP 2.0 standard on your server, you could also get the positive side-effect of more speed.
The vulnerability is assumed as low (CVSSv2 3.0)
Author / Credits:
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)
2017-02-02 - https://jongliertricks.ch/mosi-security-research/39