Dashboard

Privilege Escalation

Severity: High
Bug ID: 744
Researcher: realn0j
Status: Disclosed
Submitted: 09/06/2017

Description:

Loading the blog page with an invalid post name results in a comment box being displayed to all users above the list of posts. Authenticated users may submit comments to this which are stored and displayed in the list of blog posts. All invalid 'name' parameter submissions appear to affect a single comment thread which is displayed on any page with an invalid name given.

Affected URL:

https://crowdshield.com/blog.php?name=

Affected Params:

name

Bug Evidence:

Evidence and steps to reproduce provided to @1N3 via Slack.


Bug Recommendation:

Check for valid ?name parameter before displaying the comment box or accepting comment submissions. As a sanity check, check database regularly for orphaned comments.

Screenshot:



Direct Chat

7
realn0j 09/06/2017
Message User Image
submitted a Application Errors bug to CrowdShield
CrowdShield 09/06/2017
Message User Image
changed the bug category to Privilege Escalation
CrowdShield 09/06/2017
Message User Image
Updating to privilege escalation as this allows comments that could end up public without proper authorization and could likely be to future blog posts not yet added.
CrowdShield 09/06/2017
Message User Image
awarded 20 points to realn0j for a Privilege Escalation bug
CrowdShield 09/06/2017
Message User Image
closed a Privilege Escalation bug submitted by realn0j
CrowdShield 09/06/2017
Message User Image
disclosed a Privilege Escalation bug submitted by realn0j
CrowdShield 09/06/2017
Message User Image
Should be fixed now. Thanks for the heads up!

Pending Bugs

ID Severity Vulnerability User Date Status
692High Authentication Bypass dia2diab 07/01/2015 Disclosed
778High Privilege Escalation poseidon 08/24/2018 Disclosed
641High Privilege Escalation daksh 12/05/2014 Disclosed
744High Privilege Escalation realn0j 09/06/2017 Disclosed
670High Remote Code Execution zoczus 05/06/2015 Disclosed
593Medium Buffer Overflow rockcena 12/01/2014 Disclosed
578Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
580Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
659Medium Reflected Cross Site Scripting pratap 12/16/2014 Disclosed
742Low Application Errors guifre 07/29/2017 Disclosed
724Low Session Security and Cookies testingcs 04/24/2016 Disclosed
706Informational Other zediwon 09/28/2015 Disclosed
707Informational Other behroz 10/06/2015 Disclosed