[Complaint/Warning] ME uses an insecure version of Django

After doing some penetration testing on Middle Earth market I have discovered their stack is Ubuntu + Nginx + MySQL + Python (Django framework specifically). I have determined the exact Django version and located some exploits that work on their system, I have obtained their IP address.

I tried to message them about this so maybe posting here will make Middle Earth Administrators get in touch for details so we can try to fix this before others exploit it.


Comments


[21 Points] d4nk1st:

inb4 OP gets his reddit subpeona'd for posting this so LE can try to make ME the next news story


[15 Points] Jay-__:

I really love to see more and more people testing the DNM's.

And... The forum-thingy actually is quite hillarious.


[14 Points] haxforcrack:

Site maintenance A wizard is never late. Nor is he early. He arrives precisely when he means to.

Guess that means they are responding soon.


[12 Points] haxforcrack:

Try to go to the forums, if you put <p>&#foo;</p> on a page it will cause the html stripper to go into a infinite loop and make the page unavailable :)


[7 Points] ShulginsCat:

This is very serious .. Can you confirm that this ip is not just a tor exit node or something like that? Because if what you're saying is true ME can be considered compromised and not to be trusted until they relocate.


[8 Points] None:

I remember when ME first came out and they required JavaScript to function. I was pentesting their withdrawal function along with some automated testing, and I guess they noticed because they took my BTC and dropped my user account. This doesn't surprise me at all. Good job though, you're making the markets a safer place for us all.


[5 Points] lrpaterson:

<sarcasm>The onion link seems down, does anyone have the clearnet IP so I can go buy drugs?</sarcasm>


[6 Points] immortaIis:

Ubuntu? Jesus.


[6 Points] sapiophile:

This is a fuckup on multiple levels. Using an unpatched backend for a market site is, obviously, a ridiculously stupid move. But on top of that, that server shouldn't even be able to know its own IP address. It should be transparently Torified through a separate physical server (ideally), or at least through a separate VM. This ensures that the only IP address the server EVER knows is 192.168.1.2 (or similar) - e.g., nonsense.

Honestly, I've always liked the impression I've gotten from the ME staff, but this really just reeks of incompetence. If you're running a fucking DNM, you need absolutely first rate penetration resistance. All of this demonstrates that they're not even running, shit, I dunno, fifth rate bullcrap. Very disappointing - I would strongly advise folks to avoid ME entirely, permanently.


[4 Points] lrpaterson:

What version of Django are they using?


[6 Points] Lucid_Enemy:

I had to buy more popcorn seasoning for this. let the drama begin


[3 Points] rudetopigs:

Well good, hold onto that information in case they ever try and pull an evo.


[1 Points] None:

colour me shocked!

the guys who claim that it is ok to use javascript for a darknet market,got very angry when i pointed it out and lied about gwern (or whoever was the expert of the month back then) having done an audit have a shitty,insecure site...


[1 Points] Kazaa99:

What exploit did you use to allegedly get the ip address?

Many of the other bugs/exploits written can easily be found in a script kiddie guide.


[1 Points] someoneknowsmynose:

Can't imagine anyone would setup his DNM-Server on Ubuntu nor avoiding updates for over a year. For me, it reads like "they admins run fake stores on their site and scammed me!1!!". Don't get me wrong, /u/haxforcrack, if this is legit it is indeed great information, but as I simply connot imagine that severe OPSEC fuckups I expecting you to be a rondom troll. ME is back online, btw.


[1 Points] someoneknowsmynose:

This is compete bullshit! The Hobbit himself discovered and reported the security flaws led to the great TOR Attack ~1 month ago. No way would any hacker of such impact would ever touch Ubuntu, which is the most unstable, insecure, shitbloat Linux distribution ever existed.


[1 Points] mephestus:

It's not penetration testing if you aren't doing it by their accord. It's called hacking.


[-2 Points] zodowntown:

hahaha, "I have determined the exact Django version and located some exploits that work on their system", you fucking lamer

find rce or something impressive, a dos or csrf or xss is some lame shit to be acting all hardcore about, and trying public django crap and claiming you have located exploits that work for it..im dying, nyways thisll prob get downvoted because i doubt theres anyone with skill on this sub


[-13 Points] honestlyimeanreally:

You shouldn't have posted this IMO - only going to lead to other people doxxing the server.

Delete this and contact admins.