Wednesday, July 24, 2019

Disclose any main and 3rd party contributors email address and movie local path thru XML file in Plex TV - plex.tv (Write Up)



Good day! In this article I will show you how I found a simple issue on chapterdb.plex.tv (Plex TV) that allow me to get their Contributors and 3rd party contributors email address and local path of the movies they contributed thru their feature that any user can download the XML file from the Contributors profile.

So I was having a good time hunting on this program since the last few weeks and I found some issues which is mostly a Business Logic issues that earned me a couple bucks.

So long story short, here's my report timeline and proof of concept of this issue.


--Proof of Concept--

1. Go to http://chapterdb.plex.tv
2. Go to http://chapterdb.plex.tv/contributors
3. Select any contributors from the page. in my demo I will use this one (http://chapterdb.plex.tv/browse?createdBy=<REDACTED>)
4. Select any movie from dongafford's page. in my demo I will use this one (http://chapterdb.plex.tv/browse/<REDACTED>)
5. In the upper right corner you will see a Download button, hover your mouse cursor into the button and click the XML (I prefer the XML download so that you can easily check the datas)
6. Download the XML file
7. Open the XML file and see the result


Result (Demo PoC):

<?xml version="1.0"?>-<chapterInfo xml:lang="eng" xmlns="http://jvance.com/2008/ChapterGrabber" confirmations="11" client="ChapterGrabber 4.4" extractor="ChapterGrabber 4.4" version="2"><title>Tommy Boy</title>
-<ref><chapterSetId><REDACTED></chapterSetId></ref>-<source><name>D:\BDMV\PLAYLIST\00001.mpls</name> <---- PATH LEAKAGE<type>Blu-Ray</type><hash>a50136227ca54eed0b46fff609511448</hash><fps>23.976023976023978</fps><duration>01:37:03.8180000</duration></source>-<chapters><chapter name="School Daze" time="00:00:00"/><chapter name="Sandusky, Ohio" time="00:05:28.7450666"/><chapter name="A Perfect 10" time="00:13:02.5317333"/><chapter name="Cow Tipping" time="00:15:25.8415777"/><chapter name="Wonder Boy" time="00:18:21.8507333"/><chapter name="The Luckiest Man in the World" time="00:21:12.5629555"/><chapter name="Playing with Your Dinghy" time="00:27:35.4037333"/><chapter name="The Future of Callahan" time="00:30:30.2867777"/><chapter name="On the Road" time="00:33:04.4407777"/><chapter name="Whadya Do?" time="00:36:42.6170666"/><chapter name="Bad Mommy" time="00:39:11.1404444"/><chapter name="Road Kill" time="00:41:26.6091111"/><chapter name="Fat Guy in a Little Coat" time="00:46:19.1930666"/><chapter name="Oh, Baby" time="00:49:16.4952000"/><chapter name="A Pretty New Pet" time="00:52:27.7279111"/><chapter name="Guarantee" time="00:55:45.3836888"/><chapter name="Spanky" time="00:59:10.9640666"/><chapter name="On the Road to Success" time="01:02:14.6475777"/><chapter name="Heading Home" time="01:06:30.6950222"/><chapter name="Killer Bees" time="01:10:25.4712444"/><chapter name="Fly Boys" time="01:12:45.9866222"/><chapter name="Zalinsky Auto Parts" time="01:17:36.6102888"/><chapter name="I've Got a Plan" time="01:23:54.1541111"/><chapter name="The New President" time="01:30:16.9114888"/></chapters><createdBy>d[REDACTED][email protected]</createdBy> <--- Contributor's Email Address<createdDate>2011-01-29T11:09:50.35-05:00</createdDate><updatedBy>a[REDACTED][email protected]</updatedBy> <--- 3rd Party Contributor's Email Address<updatedDate>2017-12-05T01:11:36.2260171-07:00</updatedDate></chapterInfo>


--Report Timeline--

Report Title: Vulnerability Issue (Business Logic Issue - Information Disclosure of Contributors in http://chapterdb.plex.tv)
Reported: Wed, Jul 3, 2019, 5:05 PM
First Response: Mon, Jul 8, 11:53 PM
Hi Evan,
We are still looking into this issue.
Regards,The Plex Security Team
Fixed: Fri, Jul 12, 9:18 AM



Hello,
We believe the issue is fixed, but since we don't maintain the code for this project ourselves, we're reaching out to the original developer to make sure. It seems to be fixed on most, but not all movies.
Regards,
The Plex Security Team
Final Decision: Not qualified for a bounty since as what they have said on their last email, they didn't own the code for ChapterDB and they reached out the owner and says that "He's not even actively maintaining the code anymore (which is why it's a read-only archive). As he is no longer involved or maintaining the project anymore."

Public Disclosure Request: Tue, Jul 23, 10:05 AM

Fixed

I hope you enjoy this write up. have a great day!

“There are no shortcuts to any place worth going.” 
Beverly Sills

Sunday, July 21, 2019

Not a fancy bug, just HTML Injection in Clause - clause.io (Write Up)

Howdy!

It's been a long time since I write down some write up on this blog. so in this article I will show you this simple vulnerability that I found in Clause which allow me to add malicious code and make a changes on email notifications when requesting a signature for other users/victims in Clause (clause.io).

The vulnerability was found on the First and Last name input when requesting a signature for a contact which can be seen on both the attacker and victims email notification after the request was made.

So long story short, I reported the vulnerability directly thru their bug bounty program they are running although and here's the report timeline and proof of concept below.

--Proof of Concept--

1. Go to https://clausestaging.com/contracts
2. Click Create New Contract 
3. Click the "Add Signatory" button
4. In the First and Last Name input the payload

Payload I used in my test

First Name: <font color="green">test green text</font><br /><img src="http://evanricafort.com/profile.png">

Last Name: <a href="http://example.com/">click here</a>

5. Input your email address
6. Add Signatory
7. Click "Request Signatures" in the upper right corner of the page
8. Click "Continue"
9. Check your email and see the result.

Result:





--Timeline--



Report Title: Vulnerability Issue (HTML Injection in Email Notifications)
Reported: Apr 23, 2019, 5:41 AM
First Response: Tue, Apr 23, 3:35 PM
Hi Evan, 

Thank you for your vulnerability disclosure. 
We have confirmed that the issue that you describe is valid and the issue has been assigned to our engineering team for further investigation.
In order for this disclosure to qualify under the Clause Vulnerability Disclosure Program, please confirm that you agree to the terms at https://clause.io/security
We will respond to you within 7 days with an update on this issue.

Best regards,
Matt
Confirmation ResponseApr 23, 2019, 10:53 PM
Thank you very much for your confirmation, Evan. 
Yes, this issue is expected to result in a bounty. We have scored this vulnerability under CVSS as 5.4 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Once the engineering team have confirmed, I will provide guidance for claiming your bounty. 
Out of interest, where did you hear about our vulnerability program, please? 
Thanks,Matt

Third Response:
Hi,   
Our engineering team have completed their investigation of this issue and will release a fix in the next 48 hours.We have determined that this report is eligible for a $250 bounty.To claim your bounty can you please send a PayPal invoice to [email protected] through the link belowhttps://www.paypal.com/signin/?returnUri=%2Finvoice%2FcreateI will respond separately to confirm that that the issue has been resolved.Congratulations on your award. I wish you good luck with your future research,  
Matt
Disclosure AgreementWed, Jul 17, 11:18 PM
Hi Evan,  
Yes, we are happy for you to make a public disclosure, however, I kindly ask that you share a copy of your write-up with us 72 hours before you publish.
Best regards, 
Matt

I hope you enjoy this write up. have a great day!


“Instead of worrying about what you cannot control, shift your energy to what you can create.” 
Roy T. Bennett, The Light in the Heart