Every vendor that publishes software invariably runs into the situation where their product has a vulnerability. Most web sites have a few low-risk issues, especially minor information disclosures. Some companies consider this acceptable risk, others are oblivious. When a security company offers penetration testing services, they will almost certainly deliver a vulnerability report to a client outlining these types of vulnerabilities. Because it is in their interest to show they did a good job, they frequently go overboard in describing the risks associated with a vulnerability. Other times they may come up with a technically valid, but highly improbable attack scenario to drive the point home.
One thing that frustrates security companies is dealing with clients who won't take the time to implement trivial configuration changes to close a vulnerability. This type of mitigation technique can be widely tested, pose no risk to the stability of the client's system, and they still don't do it.
But... what happens when it's a security company that won't do that? A security company who offers penetration testing should find vulnerabilities on their own site, before the 'bad guys' do. Worse, what if the security company claims to do web application testing and misses the most simple of input validation vulnerabilities on their own web site? Not a good sign for potential customers.
The following vulnerabilities, annoyances and oddities were submitted by over a dozen people. Perhaps LIGATT should look at investing in a proper penetration test since this likely represents the tip of the iceberg.
| Cross-site Scripting | From Wikipedia: "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables
malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same
origin policy." Since the original curiosity, there have been many additional XSS vulnerabilities found in every site LIGATT runs. While
this attack may seem trivial, such a vulnerability is enough to make a company fail PCI DSS Compliance.
Since LIGATT has several places for
customers to
login, an XSS attack is especially dangerous
as it can be used to steal authentication credentials from unsuspecting users. Update:As of Aug 31, 2010, several months after being disclosed, the site is still vulnerable to this. Dec 22, 2010, another XSS is reported. |
 |
| Directory Indexing | From The Web Application Security Consortium: "When a web server reveals a directory's contents, the listing could contain information not intended for public viewing." This vulnerability can be remediated by changing a directive in the web server configuration file. |  |
| Open Directory Information Disclosure | The result of having directory indexing enabled, this can show an attacker not only the technical details of a web server (e.g., Apache/2.2.9 (Fedora)), but show what software and version is installed (e.g., TubePress Pro 2.0.0 for WordPress). This information can be further used to research potential vulnerabilities in the site. Heavily reliance on the WordPress software and third-party plugins, both well known for their extensive history of vulnerabilities, is evident when viewing the source of some pages. |  |
| HTTP Header Information Disclosure Cookie Insecurity |
When making an HTTP request, the server returns two headers that disclose the vendor and version of
not only the web server, but also shows the presence of PHP 5.2.6. The current version of PHP for that
tree is 5.2.13, making this web server
potentially vulnerable to dozens of vulnerabilities. The Session ID cookie is not set with the 'secure' flag, not marked 'HTTPonly' and not set over encrypted channels. These are three ways to help protect the integrity of the session and protect the cookie information. If the cookie was intercepted, it may allow an attacker to gain access to a user's session. |
 |
| Old / Test Content Present | Digging around finds a web store created on their site, seemingly abandoned in favor of the current store. Too bad you can't order the "pimp shady" merchandise for $0.00, described beautifully in Lorem Ipsum. The presence of such content indicates the web server is likely not monitored as well as it should be. |  |
| Broken Functionality | While perusing the 'Latest News', you may run across LIGATT rehashing something like Symantec's Riskiest Cities report. In some cases, the implementation used to borrow content from other sites results in a pile of technical gibberish. |  |
| Improper Permissions | Despite having PHP developers and security auditors on staff, LIGATT's site maintains a copy of the php.ini file in the root directory, viewable via the web server. While the configuration file has a single option, it helps attackers better understand the PHP configuration and which vulnerabilities may affect the site. Further, should the config file be updated, these changes would be publicly viewable. |  |
| Phishing Page Hosting | This is a very curious page to find on a security company's site. A "First Manhattan Online Banking" password renewal page, exactly like the ones used in phishing attacks. One may argue that it is leftover from a penetration test, and if so, that means LIGATT is disclosing a client they worked for. If you doubt they worked for this bank, then it really leaves serious questions as to what LIGATT is doing with this page. If they didn't put it there, who did, and when was LIGATT compromised? The broken images are amusing, but this page is a bit more believable than a second page found, likely for the same use, that only resulted in path disclosure. It should be noted that a 'First Manhattan Bank' doesn't appear to exist, the closest obvious match being First National Bank of Manhattan. This page has since been reported to PhishTank and has been verified as a phishing site. |  |
| Outdated / Vulnerable Software | The WebMail program running on their site is SquirrelMail version 1.4.17-1.fc8, released around December, 2008. This version is known to contain several vulnerabilities. |  |
| Path Disclosure | At random times, LIGATT's "solutions" don't seem to be available, instead, offering up the physical path of the web page instead. |  |
| Cross-site Scripting | As with LIGATT's primary web site, their untraceableemail.net domain has several XSS vulnerabilities present. |  |
| Path Disclosure | Clicking on 'BoobyTrap' from their Solutions Page yields a 404, dropping the "-by-ligatt" from the URL works, and redirects you to the untraceableemail.net domain. Attempting to sign-up for an account results in an error at the top with a nice path disclosure and broken image. |  |
| SQL Injection (?) Path Disclosure |
When visiting the 'Register Sub Account' page (/ezpay/subAccntForm.php), an error message is generated due to improper use of the mysql_fetch_assoc() function. It is not clear if this is indication of potential SQL Injection, but the resulting error message contains a full system path. |  |
| Authentication Bypass | This site has a login page for the Project Management section. Typing in valid pages in this directory allow you to bypass authentication and load the page. This can also be done by going directly to the /tools/ directory, or /ezpay/subAccntForm.php to add a user without logging in. |  |
| Test Content Present | As seen in the screenshot above and the one to the right, test content is present on this system. In this case, it reveals e-mail addresses for 12 employees in four divisions. |  |
| Cross User Information Disclosure |
After bypassing the login screen and adding a user account via /ezpay/subAccntForm.php, the resulting screen appears to disclose information associated with the first user registered. |  |
| Path Disclosure Availability Issues |
At times, LIGATT's spoofem.net seems to have issues and only offers up an error message that includes the full system path. |  |
| Insecure Configuration | After installing PHPLive!, the LIGATT administrator did not follow the installation directions. As a result, sensitive administrator pages are now accessable to the world without authentication. |  |
| Cleartext Credential Disclosure |
As part of the PHPLive! setup, the profile page shows the current information for the administrator. This includes login name, cleartext password, email address and more. While we have obscured Gregory Evans' password, we will note that by most standards, it is considered a very weak password. |  |
| Improper Permissions | Despite having PHP developers and security auditors on staff, LIGATT's site maintains a copy of the php.ini file in the root directory, viewable via the web server. Unlike their corporate site, this has extensive configuration details that could help attackers in crafting PHP based attacks. |  |
| Test Content Pornography (?) |
A mix of test content on a live system, and whatever "Boobycam" may be. SPOOFEM.com really pushes the link between spoofed calling and celebrity entertainment. For example, the "WHO'S MY DADDY" blog entry and associated tag cloud suggest search engine poisoning to get more hits to the site. |  |
| Customer Credential Disclosure | By visiting one of the pages in the 'Flex' setup, it returns XML containing a username, password, email address and history details of a SPOOFEM customer. |  |
| Directory Indexing | From The Web Application Security Consortium: "When a web server reveals a directory's contents, the listing could contain information not intended for public viewing." This vulnerability can be remediated by changing a directive in the web server configuration file. |  |
| Login Error Information Disclosure |
Using blank credentials for their ticketing system results in an error message with internal IP disclosure, account name and system path. |  |
| Outdated / Vulnerable Software | The WebMail program running on their site is SquirrelMail version 1.4.17-1.fc8, released around December, 2008. This version is known to contain several vulnerabilities. |  |
| Cleartext CC Transmission | When entering your personal and credit card information, SPOOFEM will transmit that information back to LIGATT in the clear. That would allow anyone able to sniff traffic between you and their site to intercept the information. This would certainly fail them on any attempt at PCI compliance. |  |
Several people have sent in additional information regarding this post. The information below was submitted to Errata by Infosecmafia and anonymous.:
IP address of their "Am I hacker proof service:" 97.74.195.39. Conveniently takes you back to their main website which is hosted at GoDaddy. Probing a bit, we find:
Interesting ports on 97.74.195.39: Not shown: 1704 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 9999/tcp open abyss
A DNS zone transfer is available:
; <<>> DiG 9.5.1-P3 <<>> AXFR ligattsecurity.com @97.74.195.39 ;; global options: printcmd ligattsecurity.com. 3600 IN SOA ns1.ligattsecurity.com. hostmaster.ligattsecurity.com. 2009062401 3600 3600 1209600 3600 ligattsecurity.com. 3600 IN A 10.0.0.2 ligattsecurity.com. 3600 IN NS ns1.ligattsecurity.com. ligattsecurity.com. 3600 IN NS ns2.ligattsecurity.com. ligattsecurity.com. 3600 IN MX 10 mail.ligattsecurity.com. ftp.ligattsecurity.com. 3600 IN A 10.0.0.2 mail.ligattsecurity.com. 3600 IN A 10.0.0.2 ns1.ligattsecurity.com. 3600 IN A 10.0.0.2 ns2.ligattsecurity.com. 3600 IN A 10.0.0.2 ssh.ligattsecurity.com. 3600 IN A 10.0.0.2 www.ligattsecurity.com. 3600 IN A 10.0.0.2 ligattsecurity.com. 3600 IN SOA ns1.ligattsecurity.com. hostmaster.ligattsecurity.com. 2009062401 3600 3600 1209600 3600
There is a known vulnerability on their FTP service (vsFTPd 2.0.5). Their SSH and SSL packages (OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007) has potential vulnerabilities. And then their web management application with single factor open on TCP 9999.
Managing the domains of LIGATT apparently is not as easy as one would think, as evident by one of their domains lapsing.
On or around June 26, LIGATT's nationalcybersecurity.com site began redirecting all traffic to getaforexrobot.com:
GET / HTTP/1.1 Host: www.nationalcybersecurity.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100504 Firefox/3.5.10 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive HTTP/1.1 301 Moved Permanently Date: Mon, 28 Jun 2010 01:47:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://getaforexrobot.com Cache-Control: private Content-Length: 0
2010-08-09 Update: The Test Manager posted a write-up of an authentication bypass issue that allows anyone to use the LocatePC service for free.
