Security Research Work for Directi Part2
12 Jan 2017This post is regarding critical vulnerability i found on directi’s codechef.com
Proof of Concept
Earlier,I have reported a critical vulnerability(directory traversal) in the main domain(codechef.com).This time I thought of looking into the subdomains of codechef.com.
Through subdomain bruteforcing one domain caught my attention https://mail.codechef.com.
So,started looking for some juicy stuffs through dir-buster.
Got 200ok response from info.php file.
OWASP-A6 (https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure)

Disclosure of phpinfo server file:

SQL-INJECTION(CRITICAL)
https://www.owasp.org/index.php/SQL_Injection
Through some googling, I found that mail.codechef.com was using sendy email newsletter application.
Two vulnerabilities were available publicly through exploit database of sql-injection.Here is the screenshot-</br>
Url-https://www.exploit-db.com/exploits/31898
mail.codechef.com is using a vulnerable version of sendy.

Url->https://mail.codechef.com/app?i= [vulnerable-sql-injection-point]
Sqlmap confirms the sql-injection.This is a critical vulnerability which can compromise the server.
Fix-Upgrade to the latest version

CROSS-SITE SCRIPTING-
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Inserting a javascript payload in the redirect parameter leads to its execution.
