How I found the silliest logical vulnerability for $750

3 years ago 189
BOOK THIS SPACE FOR AD
ARTICLE AD

Sometimes even a well-tested program can have silly vulnerabilities, such as this one, a private program which I was invited and it was tested for 3 years, lots of lots of vulnerabilities even critical ones were reported, from SQL-i to XSS, Deserialization and whatnot, nobody reported a vulnerability for over 1 year, but after spending 3 days on it I found this really silly bug which even the team behind the software said, and I quote:

Vendor: I am very surprised to find such a simple vulnerability in this addon. This will be addressed by our development team. Thank you very much for your report.

the vulnerability was in a plugin, the program mentioned that you can find vulnerabilities in their plugins too

the vulnerability was Email blacklist bypass

in a certain plugin, they’ve introduced a feature to prevent usage of free mailing services such as temp mails, gmails, yahoo, etc.

I’m sure you’ve encountered examples of such mechanism in websites which prevent you from complete registration when you use a johndoe@gmail.com well they mostly are using a list of known domains which provide free mailing service and if the domain part of you’re email johndoe@domain.com is using one of the blacklisted domains, then you can’t register.

since the program was open-source and I was reading through to make sure there were no implementation flaws I came across this subroutine

Did you found the vulnerability?

as mentioned in the added comments, the application is taking the user email address for example batman@gmail.com, and then checking to see if the domain part of the email is on the black-list

now if we input an email address which it’s domain part is not included in the blacklist, it’s not actually a bypass, but if we use a restricted domain and the application allows it, then that’s a bypass, so let's add some comments

as you can see the application is using the PHP in_array function which is actually a CASE-Sensitive check and vulnerable to case checking, meaning that we can change the batman@gmail.com to batman@GMAIL.com and the in_array function returns false when checking if the domain is blacklisted.

As I mentioned the vendor response was this:

Vendor: I am very surprised to find such a simple vulnerability in this addon. This will be addressed by our development team. Thank you very much for your report.

A simple vulnerability yet no one was looking for after 3 years of hunters testing it.

I got rewarded 750$ for this bypass

hope you all enjoyed this write-up, see you next time

-Sina

My Twitter: https://twitter.com/Sin_Khe

My Linked-In: https://www.linkedin.com/in/sina-kheirkhah-879860213/

Other Writeups: https://sinsinology.medium.com/

Read Entire Article