Rick's b.log - entry 2025/01/12

XSS vuln and bug bounties

I received the following email this morning:

Clearly nobody at OpenBugBounty uses mobile devices.

"Dear Security Team"? Oh, they must mean the cat that owns this human.

Let's see what's up. Here is a link to the report, and note that it uses CloudFlare to verify you are a human before allowing access, so it probably won't work on NetSurf.

As expected, there was no information other than to say that my site suffered from a Cross Site Scripting Vulnerability. This is logical, as proper disclosure requires one to publicise things only after it has been patched and/or a period of time has elapsed with nothing having been done.

Four things stood out to me.

The first was that there wasn't any sort of actual identification of the reporter. The name given was "Mr Jack". The domain mentioned was registered with NameCheap Inc and was a small single page of broken HTML. The Twitter link went to a "The account doesn't exist" page (the above text gave an entirely different link), and the Facebook link said "This content isn't available at the moment". Hmm...

The second thing that I noticed was this appears to have been the result of an automated scanner. The "Reports" tab listed some sixty seemingly random sites this weekend alone, and since Christmas 2023 there have been 1,085 pages of reports - or about 21,700 so far at 20 per page (phew!) though the site says 16,597 (still, phew!).

I note also that the scan was performed giving the URL "heyrick.co.uk", which for several years now has been a quiet redirect to "heyrick.eu". I wonder what outdated link Mr Jack found?

Finally, this part of the page:

I can't help but think that SWIFT to an American bank would have big charges.

While it's a perfectly reasonable request for a commercial or company site, I'm afraid $300 really doesn't work for me as this is a personal hobby site with a strict no-advertising policy. I don't make money from it, the donations asked for on the right go to the person hosting this site, not to me. And, anyway, I would need to bust my balls for nearly a week to earn that sort of money.

So my options were clearly "ignore it and hope it goes away" or "pay money I don't have for a bug report".
The problem with us neurodivergent types is that we're good at looking at a binary choice and then picking a third option.

That third option was a free online XSS scanner. Which I used, and in about five minutes it located the problem.

The problem was as follows: The blog entry URL is laid out in the form "/blog/index.php?diary=<year><month><day>", and you could inject some unwanted content into the page by putting it there in place of the expected date.

The reason for this was, quite simply, some debugging code that I forgot to remove. You see, if the parameter given is unrecognised, it will give an "unrecognised date" page, and if it looked more like somebody trying something, it would tell them to stop wasting their time as there is no back door - the secret way in is not tictactoe with the password joshua.
However, when it did that, it also embedded in the HTML a comment that reported what the input actually was. This was placed there during development in order to check that the detection wasn't chomping on anything that was actually wanted, and wasn't throwing errors for simple mistakes.
For example index.php?diary=202501111 (a digit too many) and index.php?diary=2025011!1 (accidental shift) will simply say that an invalid date was specified, and index.php?bollocks will just redirect to the latest entry as if no date had been given. But index.php?diary=<bollocks> will tell you to stop wasting your time.

There was, however, a problem in that a carefully crafted link would be able to break out of the comment and embed content into the page.
Something like: index.php?diary=%27"-->something nasty here

Fixing that was a simple matter of commenting out the debug code so the actual input was never reported back - basically adding two slashes to the script in the right place.

This vulnerability did not affect the server, and only would have affected you if you followed a tainted link. Since it uses a GET request, you may well have spotted something was wrong first, although, admittedly, modern browsers and email clients go to extreme lengths to obscure where links actually go "for user convenience" because "Click Me" is much friendlier than several lines of gibberish.
And this is why people keep on getting duped by scam sites. The link might say britishgas.co.uk and the site might look like British Gas and it might even have a little padlock so your browser doesn't complain, would you necessarily notice if the URL was britgas.co.uk or brittishgas.co.uk?
I'm not picking on British Gas here, just thinking of a utility who scammers may want to impersonate.

As an aside, I noticed that the code to provide the canonical/alternative references (that is to say, the desktop and mobile versions of a page pointing at each other and saying "we're the same only different") was simply echoing a modified version of the input URL. This wasn't a vulnerability as it wasn't altering the content, rather simply repeating the bad input which wasn't ideal.
On further examination, it was broken in other ways, like pointing to a mobile version of the versions log, which doesn't exist because that's a static page that borrows the blog theme, rather than being a built page within the blog system (so there is no mobile alternative). And, also, trying to claim a potentially non-existent page (whatever the current date was) as an alternative for the "invalid date" report.

That bit of code was replaced with something a lot smarter. It was hard going, not in terms of code, but because I was doing it on my mobile phone. So AndFTP to pull the PHP file. Then ES Explorer (an old pre-malware version) to find the file, then edit it using ES Note Editor, then back to AndFTP to push it back to the server, and then over to Chrome to refresh the page and discover... I forget a quote mark or the autocorrect "helpfully" changed substr to substrate and other facepalm-inducing nonsense.

I would like to thank Mr Jack for bringing this problem to my attention.
And the moral, kiddies, is to remember to disable your debugging code!

Ah-ha! It looks like Wocki's site has an XSS vulnerability (marked unpatched, due for disclosure in five days) and my site in its .co.uk form is mentioned there. The vulnerability test bot probably crawled that link along the way and added it to the "to do" list.

Now if we dig in a little deeper, Mr Jack isn't getting rich off of this. He has made 16,597 reports since 2023/12/25 (did he get fibre for Christmas? ☺) with 270 being "VIP sites" and... only NINE vulnerabilities have been patched.
I don't know whether people are doing what I did and fixing it themselves, or if they just don't care. I think we can hazard a guess, don't you?

This looks like a chart of AI content theft versus f**ks given by the AI companies.

Missing FreeSat listings

Perhaps turning it off and on again would help?

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Rick, 12th January 2025, 20:21

I can hear things scurry in the loft. The little critters are like "it's so bloody cold out there we'd rather take our chances with the owl than stay outside". 🐁    Meanwhile, the owl is like "Fast food home delivery? Awesome!". 🦉

Add a comment (v0.11) [help?] . . . try the comment feed!
		Your name
		Your email	(optional)
		Validation	Are you real? Please type 95514 backwards.
		Your comment