Hello, I have a bit of a problem on how to approach this and not waste my time and effort. So here is how it all started…
Few weeks ago a friend sends me his company site backup asking to keep a copy because his backup strategy is non existent. I sad fine, I’ll keep a copy but maybe you should ask for an admin account so if we need to restore we can do it with any web dev company. I asked if I can snoop around the backup and both the dev and he agreed. The thing is that the same developer is running a few websites for our parent company, and they brag about their custom CMS and having a software engineering degree instead of “self thought Wordpress drag and droppers degree”. I thought nothing of it at the time, but since hanging around this place I sort of wanted to look at it in a bit more detail.
Now, I’m no IT staff, and I’m by no means a developer, but I do dabble in PHP and automating things so very quickly I saw same (serious) problems.
Passwords are non-salted MD5 hashes
There are four user accounts, one is the dev, and the other 3 are from some people who do content management, with roles “super admin”, “admin” and “user”. I managed to recover 3 out of 4 plaintext passwords in 4 different ways, Google search for MD5 reverse lookup, hashcat with dictionary attack, hashcat and mentalist with bruteforce attack, Facebook “about” page for some of the people involved (yes, 50% of the passwords are FirstnameBirthYear). The only one I couldn’t recover was the dev.
Now what I definitely DID NOT DO is use TOR to try and log in to our parent company websites using these credentials and IT DEFINITELY DID NOT WORK . And when I didn’t do this, no one noticed a login from who knows where the exit node was.
There is no CSRF protection of any kind, I think. There is no 2FA of any kind, I’m sure
Every single form has no token of any kind to make sure there is no CSRF shenanigans. I tried using CURL to send a post request to the login page, and if the credentials are wrong i get back HTML with “wrong username or password” in it. If however I POST the right login credentials i get back the login page with no errors, I assume because there is no way to create a session. So in theory I could inject an account via cross site scripting? I have no Idea how, but in theory I could, right? (done on Linode VM, not live site)
There is a lapse in logic when crating accounts
When creating accounts, code will check if the user is “superadmin” or “admin” but nothing else. The problem is this info comes from the hidden form field that I can edit and put “Bugs Bunny” in if I want. In combination with adding an option of “superadmin” to HTML I was able to use “admin” account to inject a “superadmin” account. The fun part is that super admin accounts are not listed, so no one would even know about this. (done on Linode VM, not live site)
These are just some problems I tracked down within a couple of days, and I have no official computer science or software engineering training at all. How can someone claiming to be a software engineer not know about these things I picked up casually dabbling in PHP?
How do I approach this and warn my parent company about the problems, knowing them I don’t think IT people will care (or will and take 100% credit for it), and senior management won’t have any idea what I’m talking about.
I’m thinking about approaching the dev, and letting the parent company president and IT director know at the same time, and at least ask for better passwords and CSRF protections, this should be trivial to do, but I don’t know if their ego will kick in.
My dilemma is if I do something about this, I’ll be damned if someone elese gets pay bump for it, and on the other hand there is a serious potential of getting hacked f I just leave it alone.