[Responsible Disclosure] Zim e-Governance site ZimConnect vulnerabilities - It shouldn't be this easy
I've been hectically busy the past couple of weeks. Just started a Google Summer of Code style internship sponsored by SoftwareMill working on Slick. Finally found time to publicly disclose a number of vulnerabilities I discovered a few weeks back.
Admittedly I was a bit lazy when writing this post, so bare with me. I've been busy of late.
Overview
This post serves as a disclosure of
vulnerabilities identified by the aforementioned security researcher.
The vulnerabilities identified pose a danger to the security and
integrity of the ZimConnect eServices platform and could lead to the
system being compromised by a remote attacker.
Scope and Limitations of Assessment
Discovery of these systems was done through inspecting HTTP requests when accessing the site and using public search engines.
Due to legal limitations, the assessment was not
performed beyond the scope allowed by the law to protect the researcher
and as such the researcher feels the vulnerabilities illustrated in this
document could be exploited to compromise the platform by an attacker
who has no respect for laws, local or international.
Responsible Disclosure Policy
I wrote this article after responsibly disclosing the vulnerability.
Please read the "Vulnerability Disclosure" page on this blog for the process and timeline.
Passively Identified Vulnerabilities
Default server configuration on paynow.pfms.gov.zw
Explanation
The HTTP server on paynow.pfms.org.zw is publicly
accessible and accessing the server root automatically redirects to a
default server configuration page which leaks information about the
services offered by the site and could potentially allow an attacker to
remotely read files on the server and lead to a denial of service on the
server.
HTTP request observed when accessing https://zimeservices.pfms.gov.zw/
Risk
The server appears to be using a default stack of
Apache, Php, Mysql running on the Windows platform. The stack is
provided through the popular software package XAMPP. After installation
the XAMMP package was left with default configuration details which
allow an attacker to access a dashboard provided by XAMMP which can be
used to access the database, view server statics, view server
configurations and read local files.
Recommendations
Deny access to the XAMMP dashboard to a select number of hosts or to requests from localhost any.
Remove the XAMMP dashboard application from the document root.
Server Configuration Information Leak
Explanation
XAMPP provides a means to view server configuration through phpinfo().
Accessible at https://paynow.pfms.gov.zw/xampp/phpinfo.php
Risk
Having a publicly accessible phpinfo() gives an
attacker valueable information about the system including private
networks which can be used to improve their attacks.
Local File Inclusion Vulnerability
Explanation
This is a vulnerability that exists since version
1.6.1 of XAMPP and affects the version of XAMPP on the remote server(
version 1.7.1 ). This allows an attacker to access files within the
target filesystem
Risk
An attacker could leverage this vulnerability to
access sensitive information on the server. However access is limited to
the directory of the file due to the use of php function basename() in
the vulnerable code
Information Leak Vulnerability
Explanation
XAMPP provides a facility Webalizer which analyzes
server logs to show statistics on popularly accessed URLs, referee sites
and top accessing sites.
Risk
An attacker could leverage this vulnerability to gain information on other resources
which are accessible on the server.
Summary
The report gives an idea of the vulnerabilities and how they could be exploited by an attacker to gain access into the platform.
Contact Details
The security researcher can be contacted at the aforementioned details.
Disclosure Timeline
9th May, 2016 : Report sent to contact details listed on website and to GISP.
21st May, 2016 : Publicly disclosed vulnerability following no response.
At the time of publishing, the servers still remain unfixed.
Comments
Post a Comment