Penetration Test for a Travel Booking Company

.git Directory Access

The .git directory is publicly accessible via https://www.thestagandhenexperience.com/.git/. In addition, directory listings are enabled by the server so the entire Git repository can be spidered and downloaded. From this, the entire site source code and history can be recovered.

This vulnerability allows the following information disclosure: –

• BitBucket repository URL, although this is private so cannot be accessed: bitbucket.org/saladcreative/stag-hen.git
• Contributors: –
  • Adam Morland <adam@saladcreative.com>
  • Brandon Jones <brandon@saladcreative.com>
  • James Hill <jhill@saladcreative.com>
  • Thomas Lenihan-Clarke <tlcsalad@gmail.com>
  • Tim White <tim@saladcreative.com>
• MySQL database credentials for the following environments: –
  • “dev”: DB: “staghen”, user: “root”, password: redacted
  • “staging”: DB: “staghenstaging”, user: “staghenstaging”, password: redacted
  • “live”: DB: “staghen”, user: “shuser”, password: redacted
  • The MySQL server is not publicly accessible which means that these credentials cannot be used directly. However if some other vulnerability allowed access to this server then they could be used which would expose all data stored within the site database.
• SagePay “$encryptPassword” value for “TEST” and “LIVE”: redacted
  • This could potentially allow access to the related SagePay account, although perhaps only for submitting payments.
• SMTP credentials for admin@thestagandhenexperience.co.uk at mail.thestagandhenexperience.co.uk: redacted
  • This allows sending of messages from this mailbox. Also, potentially the credentials could be used to access the incoming mail server for the domain allowing e-mail for this mailbox to be read and modified.
• Session cookie encryption key: redacted
  • This allows all user session cookies to be decrypted, potentially exposing sensitive information. This has not been done as part of the initial analysis.
• MailChimp API key: redacted
  • This would allow access to the MailChimp API, e.g. for sending mail

Directory Listings Enabled

The web server seems to allow directory listings by default. If there is a default page (e.g. index.php or index.html) in a directory then this will prevent a listing, but if not the contents are visible. For example, see https://www.thestagandhenexperience.com/uploads/. This vulnerability also allows the spidering of the .git directory (detailed above) to be performed much more easily.

Admin Interface Access

An admin interface has been found at https://www.thestagandhenexperience.com/admin/auth/login. No attempt has yet been made to gain access to this system so no information about potential vulnerabilities has been included, but the presence of such a system gives potential attackers a good place to start.

The admin URL is also specifically excluded in the robots.txt file using a disallow directive. Disallow directives are used to ask web crawlers not to access certain pages on your site. However, the robots file is also accessible to malicious actors who are unlikely to honour this request. In practice, this is the equivalent of handing out a note to all site visitors asking them not to access the following list of private or vulnerable locations. Given that the robots file is merely a request and does not actually prevent users from accessing these locations, this action is incredibly counterintuitive and will hinder rather than help your site security. Sensitive pages should be prevented from indexing by using the noindex header on the relevant pages instead.

Absolute Web Root Server Path Discoverable

Using the SLIR image resizer at https://www.thestagandhenexperience.com/uploads/slir/, the absolute site web root path can be found: /var/www/html/thestagandhenexperiance.com/public_html/. Knowledge of this path gives potential attackers extra information which could be exploited using other vulnerabilities.

OpenSSH Version Contains Minor Vulnerabilities

Ref: https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-188833/Openbsd-Openssh-6.7.html

The version of OpenSSH used on the server is vulnerable to a number of minor attacks. Most importantly, this could allow an attacker to list users on the server, making the process of brute-forcing login credentials much easier. See below for an additional vulnerability which is impacted by this.

SSH Password Authentication

The OpenSSH server running on TCP port 22 on the server allows users to authenticate using passwords. While this is not a vulnerability in itself, it gives potential attackers the opportunity to run brute-force attacks against the server. If the server uses common usernames (such as “root”) and weak passwords, an attacker could easily gain access. No attempt has been made to brute-force SSH credentials during this initial test, so it is unknown if the passwords used are actually weak. Ideally an SSH server would be configured to use public key authentication only, though this might be inconvenient for site administrators so is often not done. This has therefore been listed as low priority as there could be legitimate reasons to use password authentication and the passwords in use could be strong. As mentioned above, however, the OpenSSH server is vulnerable to a username enumeration attack. If successful, this would help an attacker to brute-force login credentials.