Happy serialization



  • I dicovered this a few months ago on a commercant website, it's still not fixed today.

     Go to [url]www.pixmania.com[/url] (its a well known online electronic seller in europe)

    then go to FAQ, click on contact (don't go to contact directly it's not the same page), a form ask you what kind of contact you want to make, using a drop down. You probably need to be subscribed, so create a dummy email account like on mytrashmail.com


    Open page source code, you will see a cryptic hidden field. It  is named _page_vars_ and it seems to contain a base64 encoded serialization of your user session. Amongst other thing i found on mine after selecting all categories:

     [code]{s:6:"_dbcon";O:5:"mysql":20:{s:10:"mysql_user";s:8:"1webcall";s:10:"mysql_pass";s:14:"1webcall2pass!";s:10:"mysql_host";s:12:"192.168.1.25";s:8:"mysql_db";s:7:"WEBCALL";s:10:"mysql_port";i:3306;s:15:"_mysqlConnectId";i:0;s:14:"_mysqlResultat";i:0;s:12:"_mysqlNumRes";i:7;s:13:"_lastIdInsert";N;s:9:"_erreurno";i:0;s:10:"_erreurMsg";N;s:9:"_classMsg";N;s:10:"_lastQuery";s:77:"SELECT ID_CHAMP FROM CHAMP_FORMULAIRE WHERE ID_FORMULAIRE=1878 ORDER BY ORDRE";s:11:"_tabLbHosts";a:0:{}s:19:"_lastQueryConnectId";i:0;s:6:"_debug";b:0;s:14:"_retryOnMaster";b:0;s:16:"_retriedOnMaster";N;s:13:"_totalPoidsLb";N;s:18:"_lbHostIdToConnect";N;}[/code]

    Yes you get it, all needed informations to connect to their mysql service, inlcuding their very difficult to brute force password, if you can access their private access realm. I wonder what could happen if i altered this session in some way 🙂 



  • Wow 😮

     

    This one got "PWN ME PLZ" written all over it



  • Putting session data in a hidden field: BAD
    Putting raw SQL in the hidden field: What were you thinking?
    Putting the database password in there: WHAT WERE YOU SMOKING?

    Now all he needs to include is his home address, the time of day that he works, and where he hides his spare key.



  • This is the first time I've ever felt that something has actually literally lived up to the moniker "Worse Than Failure".

    Fix that site!!



  • Ugh. I know they have an especially nasty site, but that really is just.... wow.... Putting your DB password/connection details/SQL commands in there for all to view? You might just as well send out a press announcement with your customers' credit card numbers in there too.
     

    Just to add to the WTFness of it all, they also have a delightful mix of French and English in there.



  • I just wonder if they have a site with

    s:50:"$result=mysql_query('SELE....

    in hidden field 😉 



  • You might want to re-check, there's a huuuuge hidden field which is indeed a session serialization, base64-encoded. But inside the field, I couldn't find any confidential value. By the way, there is some strange binary data. Wouldn't be surprised if it's actually "encrypted" data.

     Their site does not look so bad, so I wonder if it's a WTFed workaround for a third-party tool. Or their portal was developed by  "professional" programmers ( or bought as is ), and then this tool was made by someone a bit more inclined to WTFs. For whatever reason ( not reasonable enough, anyway ), they could not share information and used that obnoxious field ...



  • @aikii said:

    You might want to re-check, there's a huuuuge hidden field which is indeed a session serialization, base64-encoded. But inside the field, I couldn't find any confidential value. By the way, there is some strange binary data. Wouldn't be surprised if it's actually "encrypted" data.

    Well, confidential datas (mysql queries and so on) only appear after use use a bit the form (you select categorie of request, etc, up until there is a dropdown with you old bougt items (that one need a querry to database to get). When this is done, mysql datas are present in hidden field. (The cut and paste i did was done from a live session yesterday)

    @aikii said:

     Their site does not look so bad, so I wonder if it's a WTFed workaround for a third-party tool. Or their portal was developed by  "professional" programmers ( or bought as is ), and then this tool was made by someone a bit more inclined to WTFs. For whatever reason ( not reasonable enough, anyway ), they could not share information and used that obnoxious field ...

    Looking at data leaked, username of database and so on, i bet it's a wtf specific to their 'Web Call' interface that is separate from merchant site. However, there is no encryption.

    {} -> define an object structure

    s:xx:"...." define a string with length x

    b:0  byte at value 0

    and so on

    I saw nothing that looks like encryption, just unnamed variables . It's probably some serialization of datas inside user session which happened to also serialize the sql connection.



  • It's just stock PHP serialization.



  • @TehFreek said:

    It's just stock PHP serialization.

    If stock PHP serialization reveals all the information about your DB backend, PHP needs to die in a fire. 



  • PHP's serialization just changes an object (in this case, it looks to be an array, didn't unserialize it) into a string, so it can be passed (usually) through a cookie, but in this case, it's the actual web page.  Serialize does not do that by default, it's definetely a HUGE WTF on the site's behalf.



  • That's the best sidebar WTF in a long time. Bravo on finding that one!

    I now challenge you to attempt to find the public IP of that host (it might be the same as the web server.. who knows) and get in. 😉



  • @RevEng said:

    Now all he needs to include is his home address, the time of day that he works, and where he hides his spare key.

    Need you ask?  His spare key is either under the welcome mat or under the potted plant closest to the door.
     



  • That is not a php session, sessions in php is smarter then that.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.