solvDB - Leaking SOLV-ID (#mvid9)

Document Title:
===============
solvDB - Leaking SOLV-ID


mosi Vulnerability ID (mvid):
===============
9


Discovery Status:
=============
Patched - Public Disclosure


CVSSv2 Overall Score:
===============
6.2


CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:M/IR:M/AR:M)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C/CDP:L/TD:H/CR:M/IR:M/AR:M)


Product & Service Introduction:
==============
The solvDB is a central runner database used for simplifying the organisation and registration of runners for orienteering competitions in Switzerland and is provided by the Swiss Orienteering federation.
Every runner has it's own runner ID, which is central for the registration on events.


Abstract:
==============
Simon Monai found a way to extract the SOLV-ID* from every runner in the solvDB (runner's database of the Swiss orienteering federation ->) using the "get-my-id" form on the website. Knowing the ID allows the attacker to collect personal information about the person.

* The SOLV-ID is the unique identifier of the runner’s database and used for login and identification on other services.


Report Timeline:
==============
2018-04-05: Vulnerability detected
2018-04-05: Vendor informed
2018-04-26: Vendor released patch
2018-04-28: Patch approved by mosi security research
2018-04-28: Public disclosure


Affected Products:
=============
Swiss Orienteering Runner's Database - Online Form


Exploitation Technique:
=============
HTTP Form Manipulation together with a mail analyzer. (Remote)


Security Level:
=============
Medium


Technical Details & Description:
=============
Request method (s):
[+] GET (Possible, not used)
[+] POST

Vulnerable Module(s):
[+] http://www.o-l.ch/cqi-bin/solvdb

Vulnerable File(s):
[+] (None)

Vulnerable Parameter(s):
[+] (none)

Depending Product(s):
[+] http://www.go2ol.ch
[+] http://entry.picoevents.ch


Description:
=============
On the landing page of the SOLV-DB (http://www.o-l.ch/cqi-bin/solvdb) there is an option to look up the runner's own SOLV-ID in case it was forgotten. To do so, the runner need to insert his full name and his year of birth (this is all information that one might get from the results table). After doing so, the runner is promted to insert his mail address to get his ID e-mailed. This last step might be abused due to the lack of the e-mail verification.


Proof of Concept (PoC):
=============
Go to the login page: https://www.o-l.ch/cgi-bin/solvdb and insert the runners first name, last name and year of birth into the form. To get this information the attacker only needs access to the results tables also available on the SOLV website.

Changing the form type to GET instead of POST results in the following URL beeing opened for the request:
https://www.o-l.ch/cgi-bin/solvdb?fname=Max&lname=Mustermann&yob=1987&competitor=findsolv

If the combination with name and year of birthday has a match, another form will be shown. The attacker now is free to enter a mail address he controls.

Changing also this form type to GET reveals following submitted URL and parameters:
https://www.o-l.ch/cgi-bin/solvdb?recipient=recipient%40example.tld&fname=Max&lname=Mustermann&yob=1987&competitor=findsolv

Using this URL changing the parameters allows to send the SOLV-IDs automated to a mailbox that the attacker controls.
Because the mails are only sent if an entry is available, there is no need for a verification of the information. Using a self written bot he might extract the URL to the solvDB and automatically collect the runners information by downloading the content of the linked website.


Possible Solution:
============
The best way would be to send the SOLV-ID to the mail address stored in the solvDB without asking the user for his mail address. Because there is no constraint to enter a mail address, this might not work all the time.

To allow the query for users with invalid or no mail addresses in the database, the form should be kept as is. But in case the user data set contains a mail address and another address is used for the request, the user should get notified on his original mail address to inform him that this query was made.
Additonal might be thought about making the mail address mandatory, so in the future might be changed to the first method.


Security Risk:
============
This vulnerability is rated medium due to the possible loss of confidential information (CVSSv2 6.2)


Author / Credits:
============
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)


Public Disclosure:
============
2018-04-28 - https://jongliertricks.ch/mosi-security-research/65


----------------------------
https://jongliertricks.ch/mosi-security-research