SOLV-DB - Transparent Requests (#mvid4)

Document Title:
===============
SOLV-DB - Transparent Requests


mosi Vulnerability ID (mvid):
===============
4


Discovery Status:
=============
Fixed


CVSSv2 Overall Score:
===============
3


CVSSv2 Vector:
==============
(AV:A/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:N/TD:H/CR:M/IR:M/AR:H)


Product & Service Introduction:
==============
The SOLV-DB is a central runner database used for simplifying the organisation and registration of runners for orienteering competitions in Switzerland and is provided by the Swiss Orienteering federation.
Every runner has it's own runner ID, which is central for the registration on events.


Abstract:
==============
Due to the lack of HTTPS the requests to the SOLV-DB are not encrypted. Sniffing the network traffic can be used to gather and steal confidential information.


Report Timeline:
==============
2016-11-29 - Vendor informed
2016-12-13 - Vendor reminder
2016-12-13 - Vendor acknowledgement
2016-12-13 - Vendor needs more time for solving
2017-01-19 - Experimental fix available, asking for implementation suggestions
2017-02-02 - Vendor finished implementation, fix approved by mosi Security Research


Affected Products:
=============
Swiss Orienteering Runner's Database


Exploitation Technique:
=============
Network sniffing


Security Level:
=============
Low


Technical Details & Description:
=============
Request method (s):
[+] GET (Possible, not used)
[+] POST

Vulnerable Module(s):
[+] http://www.o-l.ch/cqi-bin/solvdb


Proof of Concept (PoC):
=============
By sniffing the network traffic (for example with a man-in-the-middle-attack) and decoding the with gzip compressed answer the complete user form could be gathered. This includes the runner's ID, his mail address, his mobile number and further confidential data.


Possible Solution:
============
Enable HTTPS on the webserver to prevent sniffing or Man-in-the-middle-attacks. Further disable the possibility to send GET-requests. In that way also URL-Sniffing is useless.
By enabling HTTPS and the HTTP 2.0 standard on your server, you could also get the positive side-effect of more speed.


Security Risk:
============
The vulnerability is assumed as low (CVSSv2 3.0)


Author / Credits:
============
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)


Public Disclosure:
============
2017-02-02 - https://jongliertricks.ch/mosi-security-research/39


----------------------------
https://jongliertricks.ch/mosi-security-research