mailing list archives
From: Matthew Flaschen <matthew.flaschen () gatech edu>
Date: Mon, 23 Oct 2006 17:13:10 -0400
I don't know whether anyone here uses this software, but I wanted to
report this somewhere. The software in question is a subscription web
service called Comment, run by Bedford St. Martins (a publisher). The
main site is at http://comment.bedfordstmartins.com/ . The only
version I have used or tested is
http://comment.bedfordstmartins.com/CommentSMHandbook5e/ , but I suspect
that the vulnerabilities extend across all the other versions.
The site is designed to allow instructors to create private virtual
classes, to which students can upload documents. The defining feature
(obviously) is that the site allows students and professors to comment
(annotate) each other's papers. There are no problems with this
However, the site design is fundamentally flawed from a security point
of view. The first problem is found is that through a manipulation of
the url, it is possible to view arbitrary documents, regardless of
whether you are in the uploader's class.
The original document URLs are in form:
Each parameter (doc, a, DCID) would be a different natural number. I
believe doc refers to the assignment the document is intended for, a to
the author, and DCID to the actual document id.
These are used in links from the main document listing.
Substituting an arbitrary DCID allows you to view that document,
unconditionally. This is already a critical flaw, as the site is meant
to be segregated into private classes; this breaches the divide by
allowing the viewing of arbitrary documents from other classes. The
other parameter of interest is "a". This refers to the author (or
uploader) of the document. When an author views their own document,
they can see all comments (and it says "your document" in the print
view), even if they are private. However, the only criteria for
document ownership here is the "a" parameter. So, for best results when
viewing others' documents, use your own "a" parameter. Now, all
comments on all documents are available. This also means the emails of
the uploader, and all commenters are available; they are in plain text
in the source despite the fact that the web site sends the emails using
a server-side script.
Thus, we have full read access to the site. The question now becomes to
what extent write access is possible. It turns out this is also
unlimited. Comments can be added on most documents the normal way
(clicking on a word or paragraph mark). However, for the instructor
documents, commenting by students is prohibited. In these cases, open
the actual document frame (bottom left) separately. Then, simply type
number corresponding the word you wish to comment (in order). "word"
can be replaced by "para" to comment paragraphs instead. This will open
a window for editing, as the system would for ordinary comments.
Editing an arbitrary comment is a bit trickier. There is a function
editWinOpen(5, "word") (same parameter forms). However, it only works
for your own comments; I do not think this is deliberate security.
Rather, they just assume you are editing your own comment, can't find
one, so start a new one (if you attempt to save this, it will give an
error). So, create a new comment (using the method above if the
document is locked). Then, edit this one. An edit link will be
available unless the comment was created on a locked page (in this case
use editWinOpen, which will work for your own comments). Once you have
your own comment open for editing, open Firefox's DOM inspector (or
similar). Search for name=cmtID . This is the only data the script
uses to determine what comment to operate on. Luckily, there is an easy
way to get the cmtID for an arbitrary comment. It's in the email link
next to each comment. They are in the form:
Simply copy that cmtID out and paste it into DOM inspector. Then, copy
the original comment text from the page, make desired modifications,
then click save comment. The same goes for deletion.
Thus, there is arbitrary read-write for comments. What can be done with
others' documents? It turns out it is possible to do everything you can
do with your own uploaded documents. The reason is simple. In the main
document listing, there are checkboxes next to your documents, and a
menu with choices of actions. However, the checkboxes use the same
DCIDs noted earlier. The values are in form:
Again, only DCID matters. It can be changed to any arbitrary DCID; the
other text (after the | ) is ignored. Then, the menu (Copy, show/hide,
delete), all applies to the document corresponding to the DCID. Thus,
it is possible to hide and/or delete an arbitrary document. There is
thus unlimited read/write access for the whole supposedly private site.
Note: The original problem (arbitrary read access) was disclosed 1 week
ago to their tech support by email. They have replied with nothing but
an Autoresponse. I made a follow-up call and was told they would deal
only with an instructor (even though I have documents and comments
uploaded, and paid for access). Thus, I am fully disclosing here.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Comment Service Matthew Flaschen (Oct 23)