Restrict session to IP 

WeChall Critical Information Disclosure

Global Rank: 251
Totalscore: 87259
Posts: 1645
Thanks: 1343
UpVotes: 895
Registered: 16y 132d

Last Seen: 26s
The User is Online
WeChall Critical Information Disclosure
Google/translate0Thank You!0Good Post!0Bad Post! link
I am sad to announce i fixed a very bad information disclosure vulnerability on wechall yesterday.

It was possible to enumerate the users emails via the wechall userstats api.

you could simply run to get his email.

This was reported by dloser and got fixed a few minutes after the report.

It is hard to tell if somebody collected all user emails this way.
But there is a way:
I always wanted to make a function in Module_Log to grep the zip logfile bundles.
Maybe someone would like to write code for gwf3 to analyze logzips? (grep them?)
I won´t find time any soon to implement it.
I can provide sample logfiles from my localhost dev machine.

Happy Challenging!

PS: Consider your emails to register here stolen and raped! Sad (j/k)

PPS: Does someone use a unique email here? Do you get any spam?
The geeks shall inherit the properties and methods of object earth.
Last edited by gizmore - Oct 31, 2013 - 23:01:41
Global Rank: 54
Totalscore: 257208
Posts: 152
Thanks: 127
UpVotes: 157
Registered: 16y 131d

Last Seen: 37d 7h
The User is Offline
RE: WeChall Critical Information Disclosure
Google/translate1Thank You!1Good Post!0Bad Post! link
So that's the reason why I'm getting a lot more v14gr4 ads these days Sad
Global Rank: 251
Totalscore: 87259
Posts: 1645
Thanks: 1343
UpVotes: 895
Registered: 16y 132d

Last Seen: 26s
The User is Online
RE: WeChall Critical Information Disclosure
Google/translate0Thank You!0Good Post!0Bad Post! link
quangntenemy, If your email you use here is not unique, i doubt this issue is the cause.

It would be great if a user with a unique mail / special wechall mail could report something happened / did probably not happen.

Some people use a different mail for each site they register, like wechall@mycatch.all - It´s a fun trick to see which sites are rooted / owned / evil.
The geeks shall inherit the properties and methods of object earth.
Global Rank: 19
Totalscore: 391580
Posts: 6
Thanks: 5
UpVotes: 5
Registered: 10y 319d

The User is Offline
RE: WeChall Critical Information Disclosure
Google/translate1Thank You!1Good Post!0Bad Post! link
I use a mostly unique email address on Wechall (I say "mostly" because I use it on a few of the challenge sites as well), and haven't gotten any spam on that address.

On the other hand I have only been registered here since Aug 2013.
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, kalungmas have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 3445 times.