One of our important clients asked us to carry out penetration tests on a web application that was already being used in a production environment and therefore accessible from the Internet. Moreover, the application had not been developed by the client but by an external supplier. Great emphasis was placed on carrying out the tests in the shortest possible time as well as not jeopardizing the availability or integrity of the data - due to the external supplier, there was an increased risk in a possible delay when recovering the application / data.
During the penetration tests, we discovered a number of very serious vulnerabilities. An authenticated ordinary user could get round the authorization scheme and escalate their privileges within the application to the administrator level; in other words, an ordinary user was able to completely take control of the entire application and freely administer it, make modifications, or attack other app users. The described vulnerability was not the most serious one to occur in the application. The functionality for uploading images allowed, in a quite simple way, us to bypass the set restrictions and upload virtually any file, e.g. a php file (the scripting language in which the application is implemented) and use it to run system commands on the given application server. What’s more, this uploaded file was also freely available to an unauthenticated user (i.e. completely public). Using the manner described, we were able to fully compromise the application server.
Another very critical vulnerability was found in an unauthenticated part of the application, again freely available from the Internet. The search field did not investigate user inputs adequately, which made it possible to call queries directly in the database, i.e. to gain unauthorized access to all data, but also to completely compromise the database server.
The vulnerabilities described posed a huge threat to the company's reputation, including the possible financial impact during further misuse of client data. In addition, due to the fact that the application is publicly available, these attacks could have been carried out (most of them) by virtually any visitor to the web application.