Wednesday, November 2, 2011

CCBill Vulnerability Reward Program Sucks








I think this is called lies and mockery ! How come after months still works ? 

https://admin.ccbill.com/wap-public/wms/page.wap?p=StagingScreen&pId=XSS  

See: http://i.imgur.com/Gy4Lj.jpg
       http://i.imgur.com/GNAD9.jpg  

http://help.ccbill.com/robohelp/server?&area=general&mgr=agm&agt=wsm&wnd=CCBillGen2|Admin_Portal&tpc=XSS  

See: http://i.imgur.com/oAhCb.jpg  

https://affiliateadmin.ccbill.com/signup.cgi?CA=930585-0000&checkname=&company=&domain=XSS  

See: http://i.imgur.com/w1ZnT.jpg 

http://refer.ccbill.com
Apache is vulnerable to HTML/XSS injection through "Expect" header For poc I have used Live HTTP Headers ( mozilla firefox addon )  
See: http://i.imgur.com/goGBa.jpg  


 http://apps.ccbill.com 
xss via cookie input To see the poc you need to set cookieLetterSize with an XSS vector  


See: http://i.imgur.com/fqFID.jpg 

and you still believe in "No More Free Bugs" Initiatives ? Fuck off CCBill !!!

4 comments:

albino said...

I dealt with the ccbill vulnerability reward program myself, and my impression is that they acted with integrity but simply made the mistake of not properly securing their sites before starting. As a result, they received loads of duplicate reports (because there was loads of low-hanging fruit) and naturally it took them ages to patch them all. Hence them suspending the reward program very quickly.

I submitted ~6 vulnerabilities (all trival) and 4 of those were marked as duplicates, so I got paid for 2.

albino said...

I think the root cause of this is that the CCBill site was not very secure when the reward program was opened. This meant that there was lots of low hanging fruit csrf/xss in every input. This meant that lots of people reported the same flaws; and lots of duplicate reports means angry people. This is why they suspended the reward program really quickly. Of the 6 vulnerabilities I submitted, 4 were declared duplicate, which is perfectly plausible. A scanner could have found those vulns. If CCBill weren't trustworthy they could have easily claimed all 6 were duplicates but they didn't.

When the program reopens I'm definitely going to take part, and hopefully it will be harder this time.

Ariko-Security said...

They are cheaters, We've reported 2 SQLi injections - they said that already reported - it's not TRUE! If it was true = they DID fix it in 1 day ! vulnerability was CRITICAL, and they fixed it 1 day after i've sent them info!. Cheaters - want free security reports THAT's ALL.

Ariko-Security said...

They are cheaters, and want free security audits.. all is reported as submitted, we have sent 2 sqli - no reward = all submitted but after 1 day vulnerability was fixed (2 years old.)